Overview
ii
Contents
Product overview. . . . . . . . . . . 1
What is new in version 2 . . . . . . . . . Login URL and initial user ID . . . . . . . Problems with shared browser sessions . . . Password policy . . . . . . . . . . . Changing the password policy . . . . . . Changing a user password. . . . . . . . Resetting a password on distributed systems . Roles . . . . . . . . . . . . . . Features overview . . . . . . . . . . . Key serving . . . . . . . . . . . . Encryption-enabled 3592 tape drives and LTO tape drives . . . . . . . . . . . . Enterprise Storage - DS8000 Storage Controller (2107, 242x) . . . . . . . . . . . . IBM System Storage - DS5000 Storage Controller (1818-51A, 1818-53A, and 1814-20A) . . . . Backup and restore . . . . . . . . . . Audit . . . . . . . . . . . . . . Technical overview . . . . . . . . . . . . 1 . 2 . 6 . 6 . 7 . 8 . 9 . 10 . 17 . 17 . 20 . 20 Keys overview . . . . . . . . . . . Main components . . . . . . . . . . Backup and restore . . . . . . . . . . Release information . . . . . . . . . . Hardware and software requirements. . . . Installation images and fix packs . . . . . Known limitations, problems, and workarounds Problem determination . . . . . . . . About this information . . . . . . . . . Intended audience . . . . . . . . . . Publications . . . . . . . . . . . . Tivoli technical training . . . . . . . . Support information . . . . . . . . . Conventions used in this information. . . . . . . . . . . . . . . . . 21 29 30 31 31 40 40 56 58 58 59 60 60 60
Notices . . . . . . . . . . . . . . 63
. . . . 20 20 21 21 Trademarks . . . . . . . . . . . . . . 64
Index . . . . . . . . . . . . . . . 67
iii
iv
Product overview
These topics describe the Tivoli Key Lifecycle Manager product and its business and technology context. They include information about: v Product features and functions v Technologies and architecture on which the product is based v The user model and roles underlying the product features v The graphical interfaces and tools that support various user roles
Requiring a password for the tklmKeyExport command to protect the PKCS#12 file to which the private key and certificate are exported. Note: If you migrate data from Tivoli Key Lifecycle Manager Version 1, any scripts or applications that you previously used to automate key export require modification to specify a password. Supporting auto-pending requests Provide three modes to add new devices: Added automatically, added pending approval from an administrator, or manually added. Creating additional device groups from a predefined set of device group families, new in this release Categorize and identify device groups based on use by a division within the company, or the manufacturer. Different device groups can each have their own administrator using the role-based access control function. Supporting variable length serial numbers for LTO tape drives and DS5000 storage servers Enable concurrent administration of Tivoli Key Lifecycle Manager Provide simultaneous access by multiple Tivoli Key Lifecycle Manager administrators. Managing trusted certificates for secure communication Enable server certificates and client certificates for devices using SSL, Internet Key Exchange, or Key Management Interoperability Protocol protocols. Providing an additional certificate for DS8000 Turbo drives Optionally specify a second certificate that the storage image might use. Simplifying the use of DB2 Automatically start DB2 during Tivoli Key Lifecycle Manager installation. Providing additional Welcome page status information in the graphical user interface Display additional information for pending device requests, key groups and certificates, and the status of configured protocols. On Windows systems, providing a link from the Start menu to access the Web interface. On systems such as Linux or AIX, provide an HTML file with a link to the Web interface.
Login URL
The login URL enables you to access the Tivoli Key Lifecycle Manager Web interface. The login URL for the Tivoli Key Lifecycle Manager administrative console is:
https://ip-address:port/ibm/console
The value of ip-address is an IP address or DNS address of the Tivoli Key Lifecycle Manager server. On systems such as AIX or Linux, the login URL and installed port numbers are stored in the TIP_HOME/etc/tklmadmin.html file that you can load in your browser.
On Windows systems, the information is on the start menu. Click Start > All Programs > Tivoli Key Lifecycle Manager 2.0 > Tivoli Integrated Portal. For example: v Distributed systems:
https://strawberry.mylab.mycity.mycompany.com:16316/ibm/console http://strawbery.mylab.mycity.mycompany.com:16310
If you use an https address, the default value of the port is: v Distributed systems: 16316. If you use http, the default port is 16310. Use an address like this example:
http://strawbery.mylab.mycity.mycompany.com:16310
Do not use a port value greater than 65520. The default port on the WebSphere Application Server information panel continues to be 16310. In the case of migration, or if the default port has a conflict for other reasons, Tivoli Integrated Portal automatically selects another free port. The installation complete panel indicates the port that is configured for Tivoli Integrated Portal. The Windows start menu contains an entry to connect to the Tivoli Integrated Portal using the correct port number. For systems such as Linux or AIX, the TIP_HOME/etc/tklmadmin.html file is installed containing the URL with the port number to which Tivoli Integrated Portal and Tivoli Key Lifecycle Manager are deployed.
Product overview
Table 1. Administrator user IDs and passwords (continued) Program Tivoli Key Lifecycle Manager administrator User ID TKLMAdmin As the primary administrator with full access to all operations, this user ID has the klmSecurityOfficer super user role, in the group that is named klmSecurityOfficerGroup. This user ID is not case-sensitive. Alternatively, use tklmadmin. Use the TKLMAdmin user ID to administer Tivoli Key Lifecycle Manager. The TKLMAdmin user ID can: v View and use the Tivoli Key Lifecycle Manager interface. v Change the password for the Tivoli Key Lifecycle Manager administrator. However, you cannot: v Create one or more additional Tivoli Key Lifecycle Manager administrator user IDs. v Do Tivoli Integrated Portal administrator tasks such as creating or assigning a role. v Start or stop the server. Password Specify and securely store a password during installation.
Table 1. Administrator user IDs and passwords (continued) Program Tivoli Integrated Portal administrator User ID TIPAdmin This user ID is not case-sensitive. Alternatively, use tipadmin or a user ID that you specify during installation. Do not use the: v TKLMAdmin user ID to administer Tivoli Integrated Portal. v TIPAdmin Tivoli Key TIPAdmin Tivoli Key user ID to administer Lifecycle Manager. The user ID has no roles to use Lifecycle Manager. Password Specify and securely store a password during installation. Protect the TIPAdmin user ID in the same way that you protect the use of the TKLMAdmin user ID. The TIPAdmin user ID has authority to reset the TKLMAdmin password and to create and assign permissions to new Tivoli Key Lifecycle Manager users.
This administrator user ID is the Tivoli Integrated Portal and WebSphere Application Server administrator user ID. With the tipadmin user ID, you can: v View and use only the Tivoli Integrated Portal interface. v Create one or more additional Tivoli Key Lifecycle Manager administrator user IDs, groups, and roles. v Reset the password of any Tivoli Key Lifecycle Manager user ID, including the TKLMAdmin administrator. v Start and stop the server. However, you cannot: v Use the Tivoli Key Lifecycle Manager to complete tasks. For example, you cannot create Tivoli Key Lifecycle Manager device groups. v Do other tasks that require access to Tivoli Key Lifecycle Manager data. The tipadmin user ID does not have access to Tivoli Key Lifecycle Manager data as a superuser. The Tivoli Key Lifecycle Manager DB2 database
Product overview
Table 1. Administrator user IDs and passwords (continued) Program Instance owner of the database User ID Windows systems and systems such as AIX or Linux: The default value is tklmdb2. You might specify a different value during installation. The ID is the installation default user ID for the instance owner of the database. Do not specify a user ID greater than eight characters in length. The instance name is also tklmdb2. If DB2 is on a system such as AIX or Linux, your user ID must be in the bin or root group, or in a separate group in which root is a member. If you use an existing user ID as instance owner of the Tivoli Key Lifecycle Manager database, the user ID cannot own another database instance. Note: Do not use a hyphen (-) or underscore character (_) when you specify a user ID for an existing copy of DB2. Database instance The administrator ID tklmdb2 owns a DB2 instance named tklmdb2. Password Specify and securely store a password during installation. This password is an operating system password. If you change the password on the operating system, you must change this password. For more information, see Resetting a password on distributed systems on page 9..
Password policy
The password policy that applies to the password of a new Tivoli Key Lifecycle Manager user is specified by the TKLM_HOME/config/TKLMPasswordPolicy.xml file. The policy does not apply to the initial passwords that are created for default users such as TKLMAdmin. These default users are created during Tivoli Key Lifecycle Manager installation. The password policy does apply to changes to passwords for default users, and to new and changed passwords for new users. Policy checking is done only when
you create or change a user profile. You must assign a role to a new user before that user attempts to log in to Tivoli Key Lifecycle Manager. The password policy is enabled by default. You can use an XML or ASCII editor to change this file. To disable the policy, change the value of the enabled parameter in the policy file to false:
PasswordPolicy enabled="true"
* Detection of this value is case-sensitive. Note: To specify that the value is not case sensitive, edit the default password policy and specify CaseInsensitive for the user ID and user name: <?xml version="1.0" encoding="UTF-8"?> <PasswordPolicy enabled="true" name="Password policy for Tivoli Key Lifecycle Manager" uuid="" version="1.0"> <Description/> <PasswordRules><![CDATA[<?xml version="1.0" encoding="UTF-8"?> <PasswordRuleSet version="1.0"> <MinLengthConstraint Min="6"/> <MaxLengthConstraint Max="20"/> <MaxSequentialChars Max="2"/> <MinAlphabeticCharacters Min="3"/> <MinDigitCharacters Min="2"/> <NotUserIDCaseInsensitive/> <NotUserNameCaseInsensitive/> </PasswordRuleSet> ]]></PasswordRules> </PasswordPolicy>
Product overview
1. Before you begin, make a backup copy of the TKLM_HOME/config/ TKLMPasswordPolicy.xml file in a secure location. You might revert to the backup copy if a changed password policy has problems. 2. Edit the TKLMPasswordPolicy.xml file in a text editor, changing only values of the XML elements and attributes in the password policy. 3. Save the changed file. The policy change occurs immediately. You do not need to restart the Tivoli Key Lifecycle Manager server. 4. Test the changes. Log in to Tivoli Integrated Portal as TIPAdmin and create a user profile for a new user. Confirm that a password that meets the policy is accepted, and that a password that violates the policy is rejected. When done, if necessary, delete the test user profile.
2. Change the password for a user. v Graphical user interface: a. On the WIM User Management > Search for Users dialog, click Search. b. In the search criteria table, double-click a selected user ID. For example, double-click myAdmin as a user ID. c. On the User Properties dialog, change the value of the Password and Confirm password fields and click OK. v Command-line interface:
a. Type updateUser and specify the required values. For example, using Jython, type on one line:
print AdminTask.updateUser(-uniqueName uid=test2, o=defaultWIMFileBasedRealm -password secret12 -confirmPassword secret12)
where: -uniqueName Specifies the unique name for the user with a password that you want to create. (String, required) You might use the searchUsers command to verify that the name correctly identifies the user before you change the password. -password Specifies the password for the user. (String, required) The new password must comply with the password policy that Tivoli Key Lifecycle Manager provides. -confirmPassword Specifies the password again to validate how it was entered for the password parameter. (String, optional)
What to do next
Next, validate that the user can log in. Log out as TIPAdmin. Log in as the user and confirm that the changed password is accepted.
Note: Only the TIPAdmin user ID or another user ID with Tivoli Integrated Portal administrator authority can change passwords using the AdminTask.changeFileRegistryAccountPassword command. Passwords that you create using the AdminTask.changeFileRegistryAccountPassword command are not validated against the configured password policy that Tivoli Key Lifecycle Manager provides.
Product overview
After a lost password reset, the user must set the password using the graphical user interface. c. Save the change and exit:
wsadmin>print AdminConfig.save() wsadmin>exit
v Systems such as Linux or AIX a. Start a wsadmin session using the Jython syntax. For example, type on one line:
TIP_HOME/bin/wsadmin.sh -conntype none -profileName TIPProfile -lang jython
Note: Only the TIPAdmin user ID or another user ID with Tivoli Integrated Portal administrator authority can change passwords using the AdminTask.changeFileRegistryAccountPassword command. Passwords that you create using the AdminTask.changeFileRegistryAccountPassword command are not validated against the configured password policy that Tivoli Key Lifecycle Manager provides. After a lost password reset, the user must set the password using the graphical user interface. c. Save the change and exit:
wsadmin>print AdminConfig.save() wsadmin>exit
5. Verify that you can log in as the specified administrator using the new password.
Roles
Tivoli Key Lifecycle Manager provides a super user (klmSecurityOfficer) role and the means to specify more limited administrative roles to meet the needs of your organization. By default, the TKLMAdmin user ID has the klmSecurityOfficer role. For backup and restore tasks, Tivoli Key Lifecycle Manager also installs the klmBackupRestoreGroup to which no user IDs initially belong. Installing Tivoli Key Lifecycle Manager creates predefined administrator, operator, and auditor groups to manage LTO tape drives.
10
The TIPAdmin user ID has the authority to create and assign these roles, and to change the password of any Tivoli Key Lifecycle Manager administrator. To set administration limits for Tivoli Key Lifecycle Manager, use the TIPAdmin user ID on the Tivoli Integrated Portal Console to create roles, users, and groups. Assign roles and users to a group. For example, you might create a group and assign both users and a role that limits user activities to administer only LTO tape drives. You must assign a role to a new user before that user attempts to log in to Tivoli Key Lifecycle Manager. Before you begin: v Determine the limits on device administration that your organization requires. For example, you might determine that a specific device group has its own administration. v Estimate how many administrative users might be needed over an interval of time. For ease of use, consider specifying a group and a role to specify their tasks. For example, you might specify a group that has a limited range of permissions to manage only 3592 tape drives.
Users Member of Groups Member of Roles Authorized for operations on Protected Objects
Figure 1. Relations between users, groups, roles, and protected objects
Product overview
11
You can use Tivoli Integrated Portal to create child groups with different permissions within a parent group. However, Tivoli Key Lifecycle Manager recognizes the permissions of only the parent group, not the permissions of its child groups.
Available permissions
Installing Tivoli Key Lifecycle Manager creates the TKLMAdmin user ID, which has the klmSecurityOfficer role as the default super user. The installation process also deploys predefined permissions to the WebSphere Application Server list of administrative roles. A permission from Tivoli Key Lifecycle Manager enables an action or the use of a device group. A role in Tivoli Key Lifecycle Manager is one or more permissions. However, in the Tivoli Integrated Portal graphical user interface, the term role includes both Tivoli Key Lifecycle Manager permissions and roles. Note: Installation creates these default groups: klmSecurityOfficerGroup Installation assigns the klmSecurityOfficer role to this group. The klmSecurityOfficer role replaces the previous klmApplicationRole role in the group that was named klmGroup. The klmSecurityOfficer role has: v Root access to the entire set of permissions and device groups described in Table 3 on page 13 and Table 4 on page 13. v Permission to any role or device group that might be created. v The suppressmonitor role. The Tivoli Integrated Portal provides the suppressmonitor role to hide tasks in the left pane of the Tivoli Integrated Portal Console that a Tivoli Key Lifecycle Manager administrator does not use. Hidden items are associated with the application server, including Tivoli Integrated Portal administrative tasks in the Security, Troubleshooting, and Users and Groups folders. klmBackupRestoreGroup Back up and restore Tivoli Key Lifecycle Manager. LTOAdmin Administer devices in the LTO device family with actions that include create, view, modify, delete, get (export), back up, and configure. LTOOperator Operate devices in the LTO device family with actions that include create, view, modify, and back up. LTOAuditor Audit devices in the LTO device family with actions that include view and audit. A user who has any one of the permissions in Table 3 on page 13 can view: v Tivoli Key Lifecycle Manager global configuration parameters that are defined in the TKLMgrConfig.properties file. v The key server status and last backup date.
12
Table 3. Permissions for actions Unrelated to Associated device with device groups groups
Enables these actions Create but not view, modify, or delete objects Delete objects, but not view, modify, or create objects Export a key or certificate for a client device. Modify objects, but not view, create, or delete objects. View objects, but not create, delete, or modify objects. For example, you must have this permission to see that tasks you want to do on the graphical user interface. Administer (create a device group, set default parameters, view, delete an empty device group. This permission does not provide access to devices, keys, or certificates.) View audit data using the tklmServedDataList command Create and delete a backup of Tivoli Key Lifecycle Manager data Read and change Tivoli Key Lifecycle Manager configuration properties, or act on SSL or IKEv2-SCSI certificates. Add, view, update, or delete the keystore. Restore a previous backup copy of Tivoli Key Lifecycle Manager data
klmAdminDeviceGroup
klmAudit klmBackup
klmConfigure
klmRestore
The klmSecurityOfficer role also has root access to permissions for all device groups.
Table 4. Device groups Permission LTO TS3592 DS5000 DS8000 BRCD_ENCRYPTOR ONESECURE GENERIC Allows actions on these objects LTO device family 3592 device family DS5000 device family DS8000 device family BRCD_ENCRYPTOR device group ONESECURE device group Objects in the GENERIC device family.
Product overview
13
Table 4. Device groups (continued) Permission userdevicegroup Allows actions on these objects A user-defined instance such as myLTO that you manually create, based on a predefined device family such as LTO.
Multiple permissions
To work on devices, a user must have permissions for one or more actions and one or more device groups. Errors occur if a user has: Action permissions, but no device group permission For example, the user has the set of action permissions that include view, create, modify, delete. However, the user has no device group permission to receive an action. Device group permissions, but no action permission For example, the user has device group permissions that include LTO and 3592. However, the user has no action permission to take against a device group. A new role for a new device group, but no action permissions For example, the user has a new role myLTO that was created for a new device group named myLTO. However, the user has no other action permissions. Permissions might be: v Directly assigned. For example, your role as a user might have view and modify permissions for a specific device group. v Obtained by group membership. Permissions are specific to a device group. You might be a member of two user groups. For example, membership in one user group might grant view and modify permissions for use with an LTO device group. A second user group might grant view, create, and modify permissions for use with a 3592 device group. You can view and modify a device in either device group. However, you can complete a create action only for devices in the 3592 device group. Data such as keys and certificates are associated with a device group. Such data is visible only in graphic user interface pages for the device group to which the data is associated. A user with permissions to several device groups can change the association of data from one device group to another for which the user holds appropriate permissions. Some properties or attributes in the Tivoli Key Lifecycle Manager database are associated with device groups. For example, the symmetricKeySet attribute in the Tivoli Key Lifecycle Manager database is associated with the predefined LTO device group. To change the attribute, your role must have a permission to the modify action and a permission to the LTO device group.
14
LTOAdmin group: Membership in the LTOAdmin group enables you to administer devices in the LTO device family with actions that include create, view, modify, delete, get (export), back up, and configure. Permissions for this group include:
Table 5. Permissions for actions Permission LTO klmCreate klmDelete klmGet klmModify klmView klmAudit klmBackup klmConfigure Enables these actions LTO device family Create but not view, modify, or delete objects Delete objects, but not view, modify, or create objects Export a key or certificate for a client device. Modify objects, but not view, create, or delete objects. View objects, but not create, delete, or modify objects. View audit data using the tklmServedDataList command. Create and delete a backup of Tivoli Key Lifecycle Manager data. Read and change Tivoli Key Lifecycle Manager configuration properties, or act on SSL or IKEv2-SCSI certificates. Add, view, update, or delete keystore. Hide tasks in the left pane of the Tivoli Integrated Portal Console that a Tivoli Key Lifecycle Manager administrator does not need to use.
suppressmonitor
LTOOperator group: Membership in the LTOOperator group enables you to operate devices in the LTO device family with actions that include create, view, modify, and back up. Permissions for this group include:
Table 6. Permissions for actions Permission LTO klmCreate klmModify klmView klmBackup suppressmonitor Enables these actions LTO device family Create but not view, modify, or delete objects Modify objects, but not view, create, or delete objects. View objects, but not create, delete, or modify objects. Create and delete a backup of Tivoli Key Lifecycle Manager data Hide tasks in the left pane of the Tivoli Integrated Portal Console that a Tivoli Key Lifecycle Manager administrator does not need to use.
Product overview
15
LTOAuditor group: Membership in the LTOAuditor group enables you to audit devices in the LTO device family with actions that include view and audit. Permissions for this group include:
Table 7. Permissions for actions Permission LTO klmView klmAudit suppressmonitor Enables these actions LTO device family View objects, but not create, delete, or modify objects. View audit data using the tklmServedDataList command Hide tasks in the left pane of the Tivoli Integrated Portal Console that a Tivoli Key Lifecycle Manager administrator does not need to use.
16
For more information, search for user roles in the Tivoli Common Reporting for Asset and Performance Management information center.
Features overview
Tivoli Key Lifecycle Manager enables you to manage the life cycle of the keys and certificates of an enterprise. You can manage symmetric keys, asymmetric key pairs, and certificates. Tivoli Key Lifecycle Manager provides: v Role-based access control that provides permissions to do tasks such as create, modify, and delete for specific device groups. Most permissions are associated with specific device groups. v Extension of support to devices using industry-standard Key Management Interoperability Protocol (KMIP) for encryption of stored data and the corresponding cryptographic key management. v Extend device support to devices using Internet Key Exchange (IKEv2-SCSI) Version 1 for secure interchange of keys between cryptographic units. Note: Tivoli Key Lifecycle Manager does not support IKEv2-SCSI if you use the Federal Information Processing Standard (FIPS). If your system uses IKEv2-SCSI, do not specify a value of on for the fips property that Tivoli Key Lifecycle Manager provides. v Serving symmetric keys to DS5000 storage servers Provide administration and ongoing maintenance of keys served to DS5000 storage servers. Restrict the set of machines with which a device such as a disk drive can be associated. You can associate a device to an existing machine in the Tivoli Key Lifecycle Manager database. v A graphical user interface and command-line interface to manage keys, certificates, and devices. v Encrypted keys to one or more devices to which Tivoli Key Lifecycle Manager server is connected. v Storage of keys and certificates in a keystore, and metadata about these keys and certificates in a database. v Backup and restore to protect critical keystore and other Tivoli Key Lifecycle Manager data, such as the configuration files and current database information. v Migration of an existing Tivoli Key Lifecycle Manager Version 1 or IBM Encryption Key Manager component for the Java Platform configuration during installation. v Audit records based on selected events occurring as a result of successful operations, unsuccessful operations, or both. Installing or starting Tivoli Key Lifecycle Manager writes the build level to the audit log. v Support for encryption-enabled 3592 tape drives and LTO tape drives, and also DS5000 storage servers and DS8000 Turbo drives.
Key serving
Tivoli Key Lifecycle Manager enables definition and serving of keys. Tivoli Key Lifecycle Manager also enables definition of keys or groups of keys that can be associated with a device. Different devices require different key types. After you configure devices, Tivoli Key Lifecycle Manager deploys keys to the devices that request them.
Product overview
17
Key group
A Tivoli Key Lifecycle Manager key group contains keys. A key can be a member of only one key group. On distributed systems, deleting a key group also deletes all the keys in the key group.
Key metadata
Metadata for a Tivoli Key Lifecycle Manager key includes information such as a key alias, algorithm, and activation date. Metadata might also include a key description, expiration date, retirement date, destroy date, compromise date, key usage, backup time, and state, such as active. Tivoli Key Lifecycle Manager stores the metadata for a key in the Tivoli Key Lifecycle Manager database.
Activate
compromised
destroyed
destroyed/ compromised
The state of a key or certificate defines the allowed usage: pending A certificate request entry is pending the return of a certificate that has been approved and certified by a Certificate Authority. pre-active Object exists but is not yet usable for any cryptographic purpose, such as migrated certificates with a future use timestamp. active Object is in operational use for protecting and processing data that might use
18
Process Start Date and Protect Stop Date attributes. For example, protecting includes encryption and signature issue. Processing includes decryption and signature verification. compromised The security of the object is suspect for some reason. A compromised object never returns to an uncompromised state, and cannot be used to protect data. Use the object only to process cryptographically-protected information in a client that is trusted to handle compromised cryptographic objects. Tivoli Key Lifecycle Manager retains the state of the object immediately before it was compromised. To process data that was previously protected, the compromised object might continue to be used. deactivated Object is not to be used to apply cryptographic protection such as encryption or signing. However, if extraordinary circumstances occur, the object can be used with special permission to process cryptographically protected information. For example, processing includes decryption or verification. destroyed Object is no longer usable for any purpose. However, the compromised status of the object can be retained for audit or security purposes. destroyed-compromised Object is no longer usable for any purpose. However, the compromised status of the object can be retained for audit or security purposes. An object that is no longer active might change states from: v Deactivated to destroyed. v Deactivated to compromised. v Compromised to destroyed-compromised. v Destroyed to destroyed-compromised.
Keystore types
Tivoli Key Lifecycle Manager supports standard and operating system-specific Java keystore methods to store public/private key and certificate information. Tivoli Key Lifecycle Manager supports these keystore types: v JCEKS (IBMJCE software provider) Use this keystore type if you are using only Java software. Ensure that the flat file JCEKS keystore resides in a restricted area of the file system on the Tivoli Key Lifecycle Manager system. Use a JCEKS keystore for all distributed operating systems.
Product overview
19
IBM System Storage - DS5000 Storage Controller (1818-51A, 1818-53A, and 1814-20A)
Tivoli Key Lifecycle Manager supports the DS5000 storage server (IBM System Storage DS5000). This support is for DS5000 series storage systems (DS5100, DS5300 and DS5020) with Self-Encrypting Fibre Channel Drives (FDE/SED drives). The optional Full-Disk Encryption Premium Feature must also be purchased and enabled in the storage subsystem. The systems include: v 1818-51A,1818-53A, FC 7358 DS5000 Disk Encryption Activation v 1814-20A, FC 7410 DS5020 Disk Encryption Activation Refer to the IBM DS Storage Manager 10.70 Installation and Host Support Guide for more information in setting the DS5000 storage subsystem to support Tivoli Key Lifecycle Manager.
20
including a backup of critical data. The replica computer enables quick recovery at times when the primary Tivoli Key Lifecycle Manager server is not available. Restore A restore returns the Tivoli Key Lifecycle Manager server to a known state, using backed-up production data such as the Tivoli Key Lifecycle Manager keystore and other critical information.
Audit
Tivoli Key Lifecycle Manager provides audit records on distributed systems in Common Base Event (CBE) format and stores them in a flat file in the audit log.
Technical overview
You can use Tivoli Key Lifecycle Manager to manage encryption keys and certificates. Tivoli Key Lifecycle Manager allows you to create, back up, and manage the lifecycle of keys and certificates that an enterprise uses. You can manage symmetric keys, asymmetric key pairs, and certificates. Tivoli Key Lifecycle Manager also provides a graphical user interface and command-line interface to manage keys and certificates. Tivoli Key Lifecycle Manager waits for and responds to key generation or key retrieval requests that arrive through TCP/IP communication from a tape library, tape controller, tape subsystem, device drive, or tape drive. Major Tivoli Key Lifecycle Manager functions include: v Managing symmetric keys, asymmetric key pairs, and X.509 V3 certificates. v Managing the creation and lifecycle of keys, which contain metadata on their intended usage. v For disaster recovery, providing protected backup of critical data. For example, on distributed systems, backup includes cryptographic key data (actual keys and certificates that are managed), metadata about the keys, and configuration files. v File-based audit logs that vary, depending on the operating system: Distributed systems Contain data in a flat file that is based on the Common Base Event (CBE) security event specification.
Keys overview
An encryption key is typically a random string of bits generated specifically to scramble and unscramble data. Encryption keys are created using algorithms designed to ensure that each key is unique and unpredictable. The longer the key constructed this way, the harder it is to break the encryption code. Tivoli Key Lifecycle Manager uses two types of encryption algorithms: symmetric algorithms and asymmetric algorithms. Symmetric, or secret key encryption, uses a single key for both encryption and decryption. Symmetric key encryption is used to encrypt large amounts of data efficiently. Advanced Encryption Standard (AES) keys are symmetric keys that can be three different key lengths (128, 192, or 256 bits). AES is the encryption standard
Product overview
21
currently recognized and recommended by the U.S. government. The 256-bit keys are the longest allowed by AES. By default, Tivoli Key Lifecycle Manager generates 256-bit AES keys. Asymmetric, or public/private encryption, uses a pair of keys. Data encrypted using one key can only be decrypted using the other key in the public/private key pair. When an asymmetric key pair is generated, the public key is typically used to encrypt, and the private key is typically used to decrypt. Tivoli Key Lifecycle Manager uses both symmetric and asymmetric keys. Symmetric encryption enables high-speed encryption of user or host data. Asymmetric encryption, which is necessarily slower, protects the symmetric key.
. See the documentation from specific hardware and software cryptographic providers for information about whether their products are FIPS 140-2 certified. Note: Do not use hardware-based keystore types when the fips property is set to a value of on. Setting the fips configuration property to on causes Tivoli Key Lifecycle Manager to use the IBMJCEFIPS provider for all cryptographic functions.
22
The Key Management Interoperability Protocol is part of an Organization for the Advancement of Structured Information Standards (OASIS) standardization project for encryption of stored data and cryptographic key management. For more information, refer to:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip
Tivoli Key Lifecycle Manager can listen for connection requests from KMIP clients that send requests to locate, store, and manage cryptographic material on the Tivoli Key Lifecycle Manager server. Tivoli Key Lifecycle Manager supports KMIP secret data and symmetric key interoperability profiles for KMIP server and client interactions. Tivoli Key Lifecycle Manager provides: v KMIP information about the graphical user interface information: Whether KMIP ports and timeout settings are configured. Current KMIP certificate, indicating which certificate is in use for secure server or server/client communication. Whether SSL/KMIP or SSL is specified for secure communication. v Updating KMIP attributes for keys and certificates. For example, the tklmKeyAttributeUpdate command allows you to update: name Specifies the name used to identify or locate the object. This attribute is a Key Management Interoperability Protocol attribute. applicationSpecificInformation Specifies application namespace information as a Key Management Interoperability Protocol attribute. contactInformation Specifies contact information as a Key Management Interoperability Protocol attribute. cryptoParams cryptoparameter1, cryptoparameterN Specifies the cryptographic parameters used for cryptographic operations using the object. This attribute is a Key Management Interoperability Protocol attribute. customAttribute Specifies a custom attribute in string format as a Key Management Interoperability Protocol attribute. Client-specific attributes must start with the characters "x-" (x hyphen) and server-specific attributes must start with "y-" (y hyphen). link Specifies the link from one managed cryptographic object to another, closely-related target managed cryptographic object. This attribute is a Key Management Interoperability Protocol attribute. objectGroup Specifies one or more object group names of which this object might be part. This attribute is a Key Management Interoperability Protocol attribute. processStartDate Specifies the date on which a symmetric key object can be used for process purposes. You cannot change the value after the date occurs. If you specify a
Product overview
23
date earlier than the current date, the value is set to the current date. This attribute is a Key Management Interoperability Protocol attribute. protectStopDate Specifies the date on which an object cannot be used for process purposes. You cannot change the value after the date occurs. If you specify a date earlier than the current date, the value is set to the current date. This attribute is a Key Management Interoperability Protocol attribute. usageLimits Specifies either total bytes (BYTE) or total objects (OBJECT) as a Key Management Interoperability Protocol attribute. You cannot modify this value once this object is used. For example, GetUsageAllocation calls this object. v List and delete client-registered KMIP templates. Clients use a template to specify the cryptographic attributes of new objects in a standardized or convenient way. The template is a managed object that contains attributes in operations that the client can set for a cryptographic object. For example, the client can set application-specific information. tklmKMIPTemplateList List KMIP templates that Tivoli Key Lifecycle Manager provides. For example, you might list all templates. tklmKMIPTemplateDelete Delete KMIP templates that clients registered with Tivoli Key Lifecycle Manager. v List and delete secret data such as passwords or a seed used to generate keys. tklmSecretDataDelete Delete secret data that KMIP clients sent to Tivoli Key Lifecycle Manager. tklmSecretDataList List secret data that KMIP clients sent to Tivoli Key Lifecycle Manager. v Set default port and timeout properties KMIPListener.ssl.port Specifies the port on which the Tivoli Key Lifecycle Manager server listens for requests from libraries that communicate over the SSL socket using the Key Management Interoperability Protocol. TransportListener.ssl.port Specifies the port on which Tivoli Key Lifecycle Manager server listens for requests from tape libraries that communicate using the SSL protocol. TransportListener.ssl.timeout Specifies how long the socket waits on a read() before closing. This property is used for the SSL socket. v Enable or disable delete requests from KMIP clients. An authenticated client can request delete operations that might have a significant impact on the availability of a key, on server performance, and on key security. Specify the enableKMIPDelete attribute with either the tklmDeviceGroupAttributeUpdate or the tklmDeviceGroupCreate command to determine whether Tivoli Key Lifecycle Manager acts on these requests.
24
Product overview
25
The wrapped data key, along with key label information about what private key is required to unwrap the symmetric key, forms a digital envelope called an externally encrypted data key structure. The structure is stored in the tape header area of any tape cartridge that holds data encrypted using this method. In this way, the key used to decrypt the data is stored with the data on the tape itself, protected by asymmetric, public/private key wrapping. The public key used to wrap that data key is obtained from one of two sources: v A public key (part of an internally generated public/private key pair) stored in the keystore. v A certificate (from a business partner, for example) stored in the keystore. The certificates and keys stored in the keystore are the point of control allowing a tape drive or library to decrypt the data on the tape. Without the information in the keystore, the tape cannot be read. It is important to prevent unauthorized users from obtaining the private keys from the keystore. You must always keep the keystore available to you to read the tapes. The data encryption key is stored only on the tape, in a wrapped, protected form. When an encrypted tape is to be read by a 3592 tape drive, the tape drive sends the externally encrypted data key to Tivoli Key Lifecycle Manager. Tivoli Key Lifecycle Manager determines from the alias or key label which private key encryption key from its keystore to use to unwrap the externally encrypted data key and recover the data encryption key. After the data encryption key is recovered, it is then wrapped with a different key, which the tape drive can decrypt, and sent back to the tape drive, enabling the tape drive to decrypt the data. Tivoli Key Lifecycle Manager uses aliases, also known as key labels, to identify the public/private keys used to wrap the externally encrypted data key when encrypting with 3592 tape drives. Specific aliases may be defined for each tape device by using the Tivoli Key Lifecycle Manager graphical user interface or command-line interface. Tivoli Key Lifecycle Manager allows the definition of at least two aliases (certificates or key labels) for each encrypting tape drive. The aliases allow access to the encrypted data at another location within your organization or outside it. The private key for one of these aliases must be known. If you do not want to specify two different key labels or aliases, you can define both aliases with the same value. AES keys and the LTO tape drive: When an LTO tape drive writes encrypted data, it first requests an encryption key from Tivoli Key Lifecycle Manager. Upon receipt of the request, Tivoli Key Lifecycle Manager obtains an existing AES key from a keystore and wraps it for secure transfer to the tape drive where it is unwrapped and used to encrypt the data being written to tape. When an encrypted tape is read by an LTO tape drive, Tivoli Key Lifecycle Manager obtains the required key from the keystore, based on the information in the Key ID on the tape, and serves it to the tape drive wrapped for secure transfer. Symmetric keys and the LTO tape drive:
26
Tivoli Key Lifecycle Manager uses only symmetric data keys for encryption tasks on the LTO tape drive. When an LTO tape drive requests a key, Tivoli Key Lifecycle Manager uses the alias specified for the tape drive. If no alias was specified for the tape drive, Tivoli Key Lifecycle Manager uses an alias from a key group, key alias list, or range of key aliases. The keys from the key group are used in a round robin fashion to help balance the use of keys more evenly. The selected alias is associated with a symmetric data key that was preloaded in the keystore. Tivoli Key Lifecycle Manager sends this data key to the LTO tape drive to encrypt the data. The selected alias is also converted to an entity called data key identifier, which is written to tape with the encrypted data. Tivoli Key Lifecycle Manager can use the data key identifier to identify the correct data key needed to decrypt the data when the LTO tape is read. AES keys and the DS8000 Turbo drive: When the DS8000 Turbo drive starts, the device requests an unlock key from Tivoli Key Lifecycle Manager. If the DS8000 Turbo drive requests a new key for its unlock key, Tivoli Key Lifecycle Manager generates an Advanced Encryption Standard (AES) key and serves the key to the drive in two protected forms: v Encrypted (wrapped) using Rivest-Shamir-Adleman (RSA) key pairs. The DS8000 Turbo drive stores this copy of the key on the array in an unencrypted partition. v Separately wrapped for secure transfer to the drive where it is unwrapped upon arrival and the key inside is used to unlock the array. If the DS8000 Turbo drive requests an existing unlock key, the protected AES key on the array is sent to Tivoli Key Lifecycle Manager where the wrapped AES key is unwrapped. The AES key is then wrapped with a different key for secure transfer back to the DS8000 Turbo drive, where it is unwrapped and used to unlock the array. Asymmetric keys and the DS8000 Turbo drive: Tivoli Key Lifecycle Manager also uses public/private (asymmetric) key cryptography to protect 256-bit AES symmetric data encryption keys as they pass between Tivoli Key Lifecycle Manager and the DS8000 Turbo drive. Public/private key cryptography is also used to verify the identity of the tape drives to which Tivoli Key Lifecycle Manager serves keys. When a DS8000 Turbo drive requests a new key, Tivoli Key Lifecycle Manager generates a random symmetric data encryption key. Public/private key cryptography is used to wrap the data encryption key using a key encryption key, which is the public key of an asymmetric key pair. The wrapped data key, along with key label information about that private key that is required to unwrap the symmetric key, forms a digital envelope called an externally encrypted data key structure that is stored in the tape header area of any tape cartridge that holds data encrypted using this method. In this way, the
Product overview
27
key used to decrypt the data is stored with the data on the tape itself, protected by asymmetric, public/private key wrapping. The public key used to wrap that data key is obtained from one of two sources: v A certificate (from a business partner, for example) stored in the keystore. v A public key (part of an internally-generated public/private key pair) stored in the keystore. The certificates and keys stored in the keystore are the point of control allowing a DS8000 Turbo drive to be unlocked. Without the information in the keystore, the DS8000 Turbo drive cannot be unlocked. It is important to prevent unauthorized users from obtaining the private keys from the keystore, and to always keep the keystore available to you to unlock the arrays. The data encryption key is stored only on the DS8000 Turbo drive in a wrapped, protected form. When a DS8000 Turbo drive needs to be unlocked, the DS8000 Turbo drive sends the externally encrypted data key to Tivoli Key Lifecycle Manager, which determines from the alias or key label which private key encryption key from its keystore to use to unwrap the externally-encrypted data key and recover the data encryption key. After the data encryption key is recovered, it is then wrapped with a different key, which the tape drive can decrypt, and sent back to the tape drive, enabling the tape drive to decrypt the data. Tivoli Key Lifecycle Manager uses aliases, also known as key labels, to identify the public/private keys used to wrap the unlocking key. Specific aliases may be defined for each device. Tivoli Key Lifecycle Manager allows the definition of up to two aliases (certificates or key labels) for each DS8000 Turbo drive in order to help prevent deadlock conditions in which the Tivoli Key Lifecycle Manager is on the same system as the DS8000 Turbo drive and the DS8000 Turbo drive needs to unlock before the Tivoli Key Lifecycle Manager can come up. The private key for one of these aliases must be known. If you do not want to specify two different key labels or aliases, you can define both aliases with the same value. AES keys and the DS5000 storage server: When a DS5000 storage server starts, the device requests a key from Tivoli Key Lifecycle Manager to unlock disk drives. In response, Tivoli Key Lifecycle Manager obtains an existing AES key from the keystore and wraps the AES key for secure transfer to the DS5000 storage server, which unwraps and uses the key to unlock disk drives. Symmetric keys and the DS5000 storage server: Tivoli Key Lifecycle Manager uses only symmetric data keys as the unlock key for a DS5000 storage server. When a DS5000 storage server requests a key, Tivoli Key Lifecycle Manager uses the alias that the request specifies to get the key. If the DS5000 storage server request does not specify an alias, Tivoli Key Lifecycle Manager obtains an alias from the list of keys that are associated with the requesting DS5000 storage server as a device. Keys from the list are served in round robin fashion to balance the use of keys evenly.
28
The selected alias is associated with a symmetric data key that was preloaded in the keystore. Tivoli Key Lifecycle Manager sends the symmetric data key to the device to unlock the disk drives of this array. The selected alias is also converted to an entity that is termed a data key identifier, which the DS5000 storage server stores. Tivoli Key Lifecycle Manager can use the data key identifier to identify the correct data key when needed.
Main components
The Tivoli Key Lifecycle Manager solution on distributed systems includes the Tivoli Key Lifecycle Manager server, an embedded WebSphere Application Server, and DB2. On distributed systems, installing Tivoli Key Lifecycle Manager also installs the prerequisites. Runtime environment v Distributed systems An embedded WebSphere Application Server is the primary component of the WebSphere Application Server environment. The embedded WebSphere Application Server runs a Java virtual machine, providing the runtime environment for the application code. The application server provides communication security, logging, messaging, and Web services. Database server Tivoli Key Lifecycle Manager stores key metadata in a DB2 Database relational database. Use Tivoli Key Lifecycle Manager to manage the DB2 Database.
Figure 3. Main components on Windows systems and systems such as Linux or AIX
Product overview
29
On Windows systems and other systems such as Linux or AIX, both computers must have the required memory, speed, and available disk space to meet the workload. The operating system and middleware components must be the same on both computers. The installation paths must also be the same.
30
Tivoli Key Lifecycle Manager configuration files Properties that define selected Tivoli Key Lifecycle Manager activities such as audit settings and other values that you customize for your system configuration. Tivoli Key Lifecycle Manager database Data about Tivoli Key Lifecycle Manager objects such as devices, key groups, certificates, keys, and drives.
Restore
A restore returns the Tivoli Key Lifecycle Manager server to a known state, using backed-up production data such as the Tivoli Key Lifecycle Manager keystore and other critical information. Retrieve a copy of backup files from a location that you specified earlier that is not in the Tivoli Key Lifecycle Manager directory path. You must also know the password that was used to encrypt a given backup file. Use the password to restore and decrypt the file on the primary Tivoli Key Lifecycle Manager server. Before starting a restore, isolate the system for maintenance. You must restart the Tivoli Key Lifecycle Manager server immediately after the restore occurs. Verify the environment before bringing the Tivoli Key Lifecycle Manager server back into production.
Release information
This section describes new features and hardware and software requirements for Tivoli Key Lifecycle Manager.
31
Table 8. Operating system requirements Use DB2 Workgroup Server Edition Version 9.5 with Use DB2 Workgroup Server Edition Version 9.7 with
Operating system AIX Version 5.3 64bit (in 32-bit mode) and Version 6.1 (in 32-bit mode. POWER7 servers are not supported.) v For both versions, a 64-bit AIX kernel is required. v For Version 5.3, use Technology Level 9 and Service Pack 2. The minimum C++ runtime level requires the xlC.rte 9.0.0.8 and xlC.aix50.rte 9.0.0.8 (or later) filesets. These filesets are included in the June 2008 IBM C++ Runtime Environment Components for AIX package. v For Version 6.1, use AIX 6.1 Technology Level 2. The minimum C++ runtime level requires the xlC.rte 9.0.0.8 and xlC.aix61.rte 9.0.0.8 (or later) filesets. These filesets are included in the June 2008 IBM C++ Runtime Environment Components for AIX package. Sun Server Solaris 9 (SPARC 64bit in 32-bit mode) Apply patches 111711-12 and 111712-12 If raw devices are used, apply patch 122300-11. Note: Tivoli Key Lifecycle Manager runs in a 32bit JVM. Sun Server Solaris 10 (SPARC 64bit in 32-bit mode) If raw devices are used, apply patch 125100-07. Note: Tivoli Key Lifecycle Manager runs in a 32bit JVM. Windows Server 2003 R2 (all Intel and AMD processors) for: v Standard Edition v Enterprise Edition Tivoli Key Lifecycle Manager can run on a member server in a domain controller environment, but is not supported on a primary or backup domain controller. Windows Server 2008 (32-bit and also 64-bit in 32-bit mode for all Intel and AMD processors) including: v Standard Edition v Enterprise Edition Windows Server 2008 R2 (64-bit in 32-bit mode for all Intel and AMD processors) including: v Standard Edition v Enterprise Edition Red Hat Enterprise Linux AS Version 4.0 on x86 32bit Red Hat Enterprise Linux Version 5.0 update 2 on x86 32bit and also 64-bit in 32-bit mode SuSE Linux Enterprise Server Version 9 on x86 (32bit) SuSE Linux Enterprise Server Version 10 Service Pack 2 on x86 (32bit and 64-bit in 32-bit mode) and Version 11 (32bit and 64-bit in 32-bit mode)
Linux packages:
32
On Linux platforms, Tivoli Key Lifecycle Manager requires the compat-libstdc++-33-3.2.3-61 or later package. It also requires the libaio package, which contains the asynchronous library required for DB2 database servers. v libstdc package To determine if you have the package, run this command:
rpm -qa | grep -i "libstdc"
If the package is not installed, locate the rpm file on your original installation media and install it:
find installation_media -name compat-libstdc++* rpm -ivh full_path_to_compat-libstdc++_rpm_file
v libaio package To determine if you have the package, run this command:
rpm -qa | grep -i "libaio"
If the package is not installed, locate the rpm file on your original installation media and install it:
find installation_media -name libaio* rpm -ivh full_path_to_libaio_rpm_file
Disabling Security Enhanced Linux: Tivoli Key Lifecycle Manager problems occur on Linux operating systems if the Security Enhanced Linux (SELINUX) setting is enabled. For example, a problem might occur with TCP/IP connections on Tivoli Key Lifecycle Manager server ports. To disable Security Enhanced Linux, take these steps after you install the Linux operating system: 1. Edit the /etc/selinux/config file and set SELINUX=disabled. 2. Reboot the system to make the change effective. 3. Ensure that SELinux is disabled by running sestatus from the command line:
[root@localhost ~]$ sestatus SELinux status: disabled
Product overview
33
Table 9. Hardware requirements for Windows systems (continued) System components Disk space free in the Windows drive that contains the temporary file system location (C:\Documents and Settings\ admin_user_name\Local Settings\Temp) Disk space free in the Windows drive where DB2 will be installed. By default, the directory is drive\Program Files\IBM\db2tklmV2. Disk space free on the Windows system drive (usually C:\) for installation of the Deployment Engine Disk space free on the Windows system drive (by default C:\) where the DB2 instance for Tivoli Key Lifecycle Manager will be created. Minimum values* 600 MB Typical values** 2 GB
700 MB
1 GB
300 MB
1 GB
1400 MB
2 GB
Disk space free for the 2 GB core product Tivoli Key Lifecycle Manager and Tivoli Integrated Portal. By default, the directory is C:\Program Files\ibm\tivoli\ tiptklmV2. Disk space required for the keystore 200 MB
5 GB
400 MB
All file systems must be writable. * Minimum values: These values enable a basic use of Tivoli Key Lifecycle Manager. ** Typical values: You might need to use larger values that are appropriate for your production environment. The most critical requirements are to provide adequate system memory, and free disk and swap space. Processor speed is less important. Installing into mapped network drives is not supported. If installation locations of more than one system component fall on the same Windows drive, the cumulative space required to contain all those components must be available in that drive.
Table 10 on page 35 lists hardware requirements for systems such as Linux and AIX:
34
Table 10. Hardware requirements for systems such as Linux and AIX System components Minimum values* Typical values** 4 GB v For Linux on distributed systems: 3.0 GHz dual processors v For AIX and Sun Solaris systems: 1.5 GHz (4way) 2 GB
System memory (RAM) 4 GB Processor speed v For Linux on distributed systems: 2.66 GHz single processor v For AIX and Sun Solaris systems: 1.5 GHz (2way) Disk space free in the 700 MB partition that contains the temporary file system location (usually /tmp) Disk space free in the partition where DB2 is installed. By default, the directory is /opt/IBM/db2tklmV2. Disk space free for installation of the Deployment Engine in the /usr/ibm/common/acsi directory v Linux systems: 800 MB
v Linux systems: 1 GB
v AIX and Sun Solaris systems: v AIX and Sun Solaris systems: 1300 MB 2 GB
700 MB
2 GB
1700 Disk space free in the partition where DB2 instance home for the Tivoli Key Lifecycle Manager DB2 administrator user is created. By default, the directory is /home/tklmdb2 on Linux and AIX systems and /export/home/tklmdb2 on Solaris systems. 2 GB Disk space free where the core product (Tivoli Key Lifecycle Manager and Tivoli Integrated Portal) is installed. By default, the directory is path/IBM/tivoli/ tiptklmV2. Disk space required for the keystore 200 MB
3 GB
5 GB
400 MB
Product overview
35
Table 10. Hardware requirements for systems such as Linux and AIX (continued) System components Minimum values* Typical values**
All file systems must be writable. * Minimum values: These values enable a basic use of Tivoli Key Lifecycle Manager. ** Typical values: You might need to use larger values that are appropriate for your production environment. The most critical requirements are to provide adequate system memory, and free disk and swap space. Processor speed is less important. Installing into mounted partitions is not supported. If installation locations of more than one system component fall on the same UNIX partition, the cumulative space required to contain all those components must be available in that partition.
Software prerequisites
Tivoli Key Lifecycle Manager has these software prerequisites: Tivoli Integrated Portal requirement: The requirement for a version of Tivoli Integrated Portal depends on which operating system or required prerequisite Tivoli Key Lifecycle Manager uses. v Distributed systems: Tivoli Integrated Portal Version 1.1.1.11 Tivoli Key Lifecycle Manager includes and installs Tivoli Integrated Portal. During installation, Tivoli Key Lifecycle Manager makes modifications to Tivoli Integrated Portal that might cause problems with products that use the same Tivoli Integrated Portal when you uninstall Tivoli Key Lifecycle Manager. To avoid these issues: Do not install Tivoli Key Lifecycle Manager in a Tivoli Integrated Portal instance that another product provides. Do not install another product in the instance of Tivoli Integrated Portal that Tivoli Key Lifecycle Manager provides. Java Runtime Environment (JRE) requirements: The Tivoli Key Lifecycle Manager requirement for a version of Java Runtime Environment depends on which operating system is used. On distributed systems: IBM Java Runtime Environment that is included with embedded WebSphere Application Server. On all systems, use of an independently installed development kit for Java, from IBM or other vendors, is not supported. Runtime environment requirements: The Tivoli Key Lifecycle Manager requirement for a runtime environment depends on which operating system is used. On distributed systems: embedded WebSphere Application Server 6.1.0.29 and any applicable fix pack or APAR requirements. WebSphere Application Server Version 6.1 is not supported.
36
Database authority and requirements: The Tivoli Key Lifecycle Manager requirement for a database depends on which operating system is used. v Distributed systems: DB2 Workgroup Server Edition on the same computer on which the Tivoli Key Lifecycle Manager server runs: Version 9.5 with Fix Pack 4 or a higher fix pack on SuSE Linux Enterprise Server Version 9 and on Red Hat Enterprise Linux AS Version 4.0. Version 9.7 with Fix Pack 2 on other distributed operating systems that Tivoli Key Lifecycle Manager supports. Note: - You must use Tivoli Key Lifecycle Manager to manage the database. To avoid data synchronization problems, do not use tools that the database application might provide. - For improved performance of DB2 Version 9.7 on AIX systems, ensure that you install and configure the I/O completion ports (IOCP) package that is described here: http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=/ com.ibm.db2.luw.admin.perf.doc/doc/t0054518.html - If an existing copy of DB2 Workgroup Server Edition was installed as the root user at the correct version for the operating system, you can use the existing DB2 Workgroup Server Edition. Tivoli Key Lifecycle Manager installation does not detect the presence of DB2 that was preinstalled as a non-root user and does not support non-root installation of DB2. For more information on DB2 prerequisites, see http://www.ibm.com/software/ data/db2/9/sysreqs.html DB2 kernel settings: Ensure that kernel settings are correct for those operating systems, such as the Solaris operating system, that require updating. Before installing the application, see the DB2 documentation on these Web sites for these additional kernel settings: AIX systems None required. Linux systems v Modifying kernel parameters for DB2 Workgroup Server Edition Version 9.5 on SuSE Linux Enterprise Server Version 9 and Red Hat Enterprise Linux AS Version 4.0: http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/topic/ com.ibm.db2.luw.qb.server.doc/doc/t0008238.html v Modifying kernel parameters for DB2 Workgroup Server Edition Version 9.7 on other supported Linux systems: http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/ index.jsp?topic=/com.ibm.db2.luw.qb.server.doc/doc/t0008238.html Solaris systems http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/ com.ibm.db2.udb.uprun.doc/doc/t0006476.htm
Product overview
37
Window systems None required. DB2 bufferpool tuning for large-scale environments: You might need to tune the DB2 bufferpool settings for large-scale environments. Use these settings:
db2 alter bufferpool TKLMBP_LG immediate size 1000 automatic #--#--- Use one of the following two statements: #--- If you migrate from Tivoli Key Lifecycle Manager Version 1, #--- specify the next statement: db2 alter bufferpool TKLMBP_4K_IDX immediate size 1000 automatic #--- Otherwise, omit the statement. #--- However, if NO migration occurs, specify the next statement: db2 alter bufferpool TKLMBP_4K_LG_IDX immediate size 1000 automatic #--- Otherwise, omit the statement. #--db2 alter db2 alter db2 alter db2 alter db2 alter db2 alter bufferpool bufferpool bufferpool bufferpool bufferpool bufferpool TKLMBP_8K_LG immediate size 1000 automatic TKLMBP_32K_LG immediate size 1000 automatic TKLMBP_SM immediate size 1000 automatic TKLMBP_IDX immediate size 1000 automatic TKLMBP_32K_IDX immediate size 1000 automatic TKLMBP_SCH immediate size 1000 automatic
Browser requirements: The following table lists the browser and browser versions that are supported by Tivoli Key Lifecycle Manager. Session cookies and JavaScript must be enabled in the browser to establish a session with Tivoli Key Lifecycle Manager. Supported browsers are not included with the product installation. Except for AIX systems, a browser can be deployed on the same or a different computer on which Tivoli Key Lifecycle Manager runs. There are no supported browsers that run on AIX systems as described in Table 11 on page 39.
38
Table 11. Supported browsers Browser Fix pack AIX Sun Server Solaris SPARC Windows Windows Windows Server Server 2008 Server 2003 R2 2008 R2 Red Hat Enterprise Linux SuSE Linux Enterprise Server
Microsoft None Internet Explorer, Version 7.0 Microsoft None Internet Explorer, Version 8.0 in compatibility mode Firefox Version 3.0.x Note: Version 3.5 and above are not supported. None
Keystore type and key size requirements: You must consider the requirements for a specific keystore type and key sizes before you install and configure Tivoli Key Lifecycle Manager. Tivoli Key Lifecycle Manager supports these keystore types: v JCEKS (JCE software provider) Use this keystore type if you are using only Java software. Ensure that the flat file JCEKS keystore resides in a restricted area of the file system on the Tivoli Key Lifecycle Manager system. Use a JCEKS keystore for all distributed operating systems. Table 12 lists the keystore types that Tivoli Key Lifecycle Manager supports.
Table 12. Summary of supported keystore types 3592, DS8000 (store keypairs and certificates) LTO, BRCD_ENCRYPTOR (store symmetric keys) DS5000, ONESECURE (store symmetric keys)
Keystore JCEKS
Supported key sizes and import and export restrictions Tivoli Key Lifecycle Manager can serve either 2048 or 1024-bit keys to devices. Older keys that were generated as 1024-bit keys can continue to be used. Table 13 on page 40 lists the supported key sizes for each keystore type that Tivoli Key Lifecycle Manager supports.
Product overview
39
Table 13. Supported key sizes and keystore types Keystore type JCEKS Import PKCS#12 file Yes Export PKCS#12 file Yes Key Generation Size in Bits 2048
Workaround: If you return to a previous screen to specify a value for the DB2 Administrator ID a second time, deselect the option to create the user. Then retype a value in the field for the DB2 Administrator ID. v Problem: Migration from Encryption Key Manager to Tivoli Key Lifecycle Manager fails if the Encryption Key Manager keystore contains a certificate with a key that has an Elliptic Curve (EC) public key algorithm. Workaround: Delete the key that has the EC algorithm and run the migration script that Tivoli Key Lifecycle Manager provides. For example, to delete a key from an Encryption Key Manager JCEKS keystore, type on one line:
JAVA_INSTALL_DIR/bin/keytool -keystore keystore_path_and_filename -storetype jceks -delete -alias EC_keyname
40
v Problem: After you install Tivoli Key Lifecycle Manager on a computer that specifies Turkish as its locale, the browser instance for Tivoli Key Lifecycle Manager does not start. Later attempts to start Tivoli Key Lifecycle Manager also fail. Workaround: Install Tivoli Key Lifecycle Manager on a computer that specifies English as its locale. After you successfully install and start Tivoli Key Lifecycle Manager in English, specify Turkish as the locale and restart the computer. Validate that Tivoli Key Lifecycle Manager starts. v Problem: For a silent installation, you must previously uncomment and specify a value of true in the #LICENSE_ACCEPTED=value statement in the response file. Otherwise, installation fails and no message is written to an error log. Workaround: Before you start a silent installation, uncomment the #LICENSE_ACCEPTED=value statement in the response file. Specify a value of true. v Problem: Installation fails on a computer that has insufficient space and also does not remove files that the installation process created. Workaround: Provide enough free disk space on the computer to allow successful completion of the product installation. You might need to manually remove the files that the failed installation created. v Problem: You cannot use the graphical user interface to delete a migrated rollover that you added with the command-line interface using the tklmCertDefaultRolloverAdd or the tklmKeyGroupDefaultRolloverAdd command. Workaround: Use the command-line interface to delete a migrated rollover that you created using the command-line interface. v Problem: During migration on distributed systems, the correct path and file are not dependably located if you click Browse to locate an Encryption Key Manager properties file. You also cannot dependably select a folder and press Enter. Workaround: Manually enter the path to the Encryption Key Manager properties file. v Problem: During Tivoli Key Lifecycle Manager installation on distributed systems, if you omit a forward slash when you type the value of the DB2 home directory, you might see an error message that indicates that the specified administrative user ID cannot be created. The message indicates that you must ensure that the password meets system requirements and that the home directory has adequate disk space. Workaround: Ensure that a forward slash is the first character when you specify the DB2 home directory. For example, type:
/mydb2home
v Problem: If you install Tivoli Key Lifecycle Manager by using Exceed on a local machine while exporting the display from a Linux machine to the local machine, you cannot decline the license agreement. If you decline the license agreement, the installation program becomes unresponsive. Workaround: Accept the license agreement, or use the Cygwin X Server or a Virtual Network Connection (VNC) instead. v Problem: When you migrate or restore devices from Encryption Key Manager Version 2.1 to Tivoli Key Lifecycle Manager Version 2, the device serial numbers can appear in lists for all device groups in the graphical user interface. For example, the serial number for a migrated LTO tape drive appears in a list of LTO tape drives, and also in lists for 3592 tape drives.
Product overview
41
Workaround: Ensure that the device is the correct type before you start an operation that alters the device. v Problem: Migration might cause a drive of a specific type to appear with an UNKNOWN label in the Tivoli Key Lifecycle Manager graphical user interface. Limitation: Migration from Encryption Key Manager does not resolve the device group for all drives. The current migration result is:
Table 14. Device group assignment after migration from Encryption Key Manager Drive characteristic Drives which have an alias or aliases defined Drives that follow the serial number specification for 3592 tape drives Drives which have symAlias defined Other drives that do not define an alias, a symAlias, or follow a serial number specification for 3592 tape drives Assigned device group 3592 tape drive 3592 tape drive LTO tape drive UNKNOWN After a drive of an unknown type makes a request to Tivoli Key Lifecycle Manager, its type might change to a known device group. Alternatively, you can modify the device group by using the Tivoli Key Lifecycle Manager graphical user interface.
42
db2 reorg indexes all for table tklmdb2.kmt_keystr_rn allow no access db2 runstats on table tklmdb2.kmt_keystr_rn and indexes all db2 reorg indexes all for table tklmdb2.kmt_group allow no access db2 runstats on table tklmdb2.kmt_group and indexes all db2 reorg indexes all for table tklmdb2.kmt_devaudit allow no access db2 runstats on table tklmdb2.kmt_devaudit and indexes all db2 reorg indexes all for table tklmdb2.kmt_kmip_attr_appinfo allow no access db2 runstats on table tklmdb2.kmt_kmip_attr_appinfo and indexes all db2 reorg indexes all for table tklmdb2.kmt_kmip_attr_cryptoparams allow no access db2 runstats on table tklmdb2.kmt_kmip_attr_cryptoparams and indexes all db2 reorg indexes all for table tklmdb2.kmt_kmip_attr_custom allow no access db2 runstats on table tklmdb2.kmt_kmip_attr_custom and indexes all db2 reorg indexes all for table tklmdb2.kmt_kmip_attr_digest allow no access db2 runstats on table tklmdb2.kmt_kmip_attr_digest and indexes all db2 reorg indexes all for table tklmdb2.kmt_kmip_attr_link allow no access db2 runstats on table tklmdb2.kmt_kmip_attr_link and indexes all db2 reorg indexes all for table tklmdb2.kmt_kmip_global_names allow no access db2 runstats on table tklmdb2.kmt_kmip_global_names and indexes all db2 reorg indexes all for table tklmdb2.kmt_kmip_attr_name allow no access db2 runstats on table tklmdb2.kmt_kmip_attr_name and indexes all db2 reorg indexes all for table tklmdb2.kmt_kmip_attr_objectgroup allow no access db2 runstats on table tklmdb2.kmt_kmip_attr_objectgroup and indexes all
4. Start the Tivoli Key Lifecycle Manager server using the startServer command. Alternatively on Windows systems, start the Tivoli Key Lifecycle Manager server by using Windows Computer Management: a. Open the Control Panel and click Administrative Tools > Computer Management > Services. b. Start the Tivoli Key Lifecycle Manager server service, which has a name like Tivoli Integrated Portal - TIPProfile_Port_16310. 5. Perform another backup of Tivoli Key Lifecycle Manager. v Problem: An unsuccessful attempt to change a password on the Change Your Password page causes this message:
Could not set the password via the underlying security system. This could be because a password rule was not met, because you do not have access to change the password, or another reason. CWWIM2510E Critical exception has occurred inside a subscriber of plugin: com.ibm.tklm.password.messages.CTGKOXXXXE
The error occurs when the password does not meet the defined password policy. Workaround: For more information about the password policy violation, find the message in the Reference topics in this IBM Tivoli Key Lifecycle Manager
Product overview
43
Information Center. The character O in the message is the alphabetic character O, not a zero, in CTGKOXXXXE. For example, you might locate:
CTGKO0101E Password policy violation was detected. Password is too short. Minimum length is VALUE_0.
v Problem: On systems where there are large numbers of keys, an operation such as creating a key group might time out. Workaround: Change the value of com.ibm.SOAP.requestTimeout in /opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/properties/ soap.client.props to a larger value. For example, set the value to 1200 and restart Tivoli Integrated Portal. v Problem: After a Tivoli Key Lifecycle Manager session times out, your first attempt to log in fails with a message like this example:
Your session has become invalid. This is due to a session timeout, an administrator has logged you out, or another user has invalidated your session by logging on with the same User ID.
Workaround: Ignore the message and log in again. v Problem: An attempt to create an IKEv2-SCSI certificate on a Solaris operating system fails with an error like this example: Graphical user interface:
CTGKM0113E IKEv2-SCSI certificate submit failed: Error occured in RequiredModelMBean while trying to invoke operation generateSelfSignedCertificate.
Command-line interface:
WASX7278I: Generated command line: AdminTask.tklmCertCreate ([-type selfsigned -alias spikiness -cn spikiness -validity 100 -keyStoreName mks -usage ikev2server]) WASX7015E: Exception running command: "AdminTask.tklmCertCreate (-interactive)"; exception information: javax.management.MBeanException javax.management.RuntimeErrorException java.lang.ExceptionInInitializerError: java.lang.ExceptionInInitializerError WASX7278I: Generated command line: AdminTask.tklmCertCreate ([-type selfsigned -alias spike -cn spike -validity 100 -keyStoreName mks -usage ikev2server]) WASX7015E: Exception running command: "AdminTask.tklmCertCreate (-interactive)"; exception information: javax.management.MBeanException javax.management.RuntimeErrorException java.lang.NoClassDefFoundError: java.lang.NoClassDefFoundError
Workaround: Ensure that your environment requires an IKEv2-SCSI certificate. Then contact IBM Software Support. v Problem: If you delete a keystore loaded with large data, an error like this example might occur:
CTGKM0002E Command failed: com.ibm.db2.jcc.b.SqlException: DB2 SQL error: SQLCODE: -964, SQLSTATE: 57011, SQLERRMC: null
Workaround: The SQLCODE: -964, SQLSTATE: 57011 error occurs because the transaction log is full. To perform the keystore delete operation, enlarge the size of the transaction log. Take these steps: 1. From a DB2 command window, run the DB2 command to get the current DB2 settings:
44
2. Examine the values of the following entries: Log space available to the database Log space used by the database Secondary logs currently allocated Table 15 describes the Tivoli Key Lifecycle Manager default settings.
Table 15. Default log settings Setting (LOGFILSIZ) = 1024 (LOGPRIMARY) = 13 (LOGSECOND) = 25 Description Log file size (4 KB) Number of primary log files Number of secondary log files
3. Enlarge these settings: Number of primary log files. For example, type:
db2 update db cfg for tklmdb using logprimary 40
If the problem occurs again, continue to enlarge the size of the transaction log. Retry until the operation completes without error. v Problem: If you create a 10-character serial number for a new device that uses KMIP in the LTO device family, Tivoli Key Lifecycle Manager pads the serial number with leading zeroes to a length of 12 characters. Later, a KMIP client is unable to locate the device. Workaround: Create a 12-character serial number for a new device that uses KMIP. Do not create serial numbers that are less than 12 characters in length. v Problem: On the Sun Solaris operating system, backing up Tivoli Key Lifecycle Manager occasionally fails with an SQL error of SQL1125N. For example:
SQL1225N The request failed because an operating system process, thread, or swap space limit was reached.
The error might be caused by a lack of resources available to perform the backup. Examining the tklmdb2/sqllib/db2dump/db2diag.log file might indicate that system resources such as DB2 processes are not able to acquire semaphores. Workaround: Restart the system and try to run the backup again. v Problem: If a problem occurs, you might need to change the maximum number of values that can be used in a multi-valued KMIP attribute. Workaround: Update this property only if a problem occurs in reaching the maximum limit for a multi-valued attribute. Use the tklmConfigUpdateEntry command to change the mv.attribute.max.values property in the TKLMgrConfig.properties file. mv.attribute.max.values=maxvaluesinteger Determines the maximum number of values that can be used in a multi-valued KMIP attribute. Required Yes Default
Product overview
45
The default value is 32. Example mv.attribute.max.values=40 v Problem: You might need to change the maximum number of values that can be used in a KMIP custom attribute. Workaround: Use the tklmConfigUpdateEntry command to change the value of the custom.attribute.max.values property in the TKLMgrConfig.properties file. custom.attribute.max.values=maxvaluesinteger Determines the maximum number of values that can be used in a KMIP custom attribute. Required Yes Default The default value is 32. Example custom.attribute.max.values=40 v Problem: A WebSphere Application Server startup problem occurs with transaction logs. The problem report is that the server cannot recover a transaction from the log. The Tivoli Key Lifecycle Manager server then fails to initialize. Workaround: When the WebSphere Application Server starts, the server attempts to recover a failed transaction written to the log and the startup fails. Remove the WebSphere Application Server logs from the TIP_HOME/profiles/TIPProfile/ tranlog/TIPCell/TIPNode/server1/transaction/ directory. Then restart the WebSphere Application Server. v Problem: On a page that has a date field with a short date format of dd/MM/yyyy, an example entry might be 20/04/2009. However, if you change the entry to a value such as 20/04/09, additional help appears. When you submit the entry, the value changes to 20/04/0009, rather than 2009. Workaround: You can successfully submit the entry by typing the value with the expected format of yyyy for the year. For example, type 2010. v Problem: After you cancel an in-progress installation of Tivoli Key Lifecycle Manager, the cleanup function might not remove some files in Tivoli Integrated Portal directories. For example, the vault.key file might not be removed. Workaround: If you cancel an in-progress installation of Tivoli Key Lifecycle Manager, ensure that you manually delete the TIP_HOME directory. v Problem: During console mode installation of Tivoli Key Lifecycle Manager, if you navigate back from a password field such as the DB2 password field, the next characters that you type appear as asterisks (*). Workaround: To retain legible characters as field input, avoid reversing your navigation when your focus is a password field. v Problem: If an asterisk (*) is the last (trailing) character in the name of more than one certificate or key group, Tivoli Key Lifecycle Manager cannot associate the certificate or key group to a device. The device name might end with an asterisk, or end with other characters. Workaround: To successfully associate certificates or key groups with devices, avoid using a trailing asterisk to name certificates or key groups. v Problem: In silent mode, installation and the uninstallation processes fail or exit without completion if the command that starts the process does not specify a response file. Tivoli Key Lifecycle Manager provides both installation response
46
files and uninstall response files. For example, typing this command causes the uninstallation process to fail or to exit without completion:
./uninstall -i silent
Limitation: You must specify a response file in an installation or uninstallation statement. For example, type:
./uninstall -i silent -f full_path_to_uninstall_response_file
v Problem: In interactive mode, some commands print inaccurate syntax statements to the console. The statements omit two brackets for the attribute flag. Limitation: Interactive console displays of command syntax incorrectly specify several delimiters. For example, a tklmDeviceAdd command entry with the correct command syntax might be:
AdminTask.tklmDeviceAdd ([-type 3592 -serialNumber 123456789012 -attributes "{worldwideName ww_name} {aliasOne cert1} "])
However, the interactive mode has this result: 1. Run the tklmDeviceAdd command in interactive mode.
wsadmin>AdminTask.tklmDeviceAdd(-interactive)
2. The resulting statement is missing the correct brackets (in boldface) for the attribute flag.
WASX7278I: Generated command line: AdminTask.tklmDeviceAdd ([-type 3592 -serialNumber asdfghjklzxc -attributes "[hostAddress 9.0.9.7]"]) CTGKM0001I: Command succeeded.
A tklmDeviceUpdate command entry with the correct command syntax might be:
AdminTask.tklmDeviceUpdate ([-uuid DEVICE-3c2617ec-0f65-445d-9323-a909512fa973 -attributes "{description old_desc}"])
However, the interactive mode has this result: 1. Run the tklmDeviceUpdate command in interactive mode.
wsadmin>AdminTask.tklmDeviceUpdate(-interactive)
2. After additional interactive activities, the resulting statement is missing the correct delimiters (in boldface) for the attribute flag.
WASX7278I: Generated command line: AdminTask.tklmDeviceUpdate ([-uuid DEVICE-8f8f2acf-4bb4-4150-8672-8f809382bef5 -attributes "[ [symAlias sym] [description desc]]"])
v Problem: You might click the Tivoli Key Lifecycle Manager help prompt (?) to obtain additional information in a browser instance, and then allow the current Tivoli Key Lifecycle Manager session to time out. The timeout message and an attempt to obtain a new login window appears in a help browser instance that remains open. Using the help browser instance, you can log in again. However, required navigation buttons are unavailable. Clicking the help prompt causes help information to appear, closing the Tivoli Key Lifecycle Manager graphical user interface without any means of return. Workaround: If your Tivoli Key Lifecycle Manager session times out and you also have a help browser instance open, close the help browser instance. Then, again log in to Tivoli Key Lifecycle Manager. v Problem: Installing Tivoli Key Lifecycle Manager on a distributed system creates a user ID for Tivoli Key Lifecycle Manager with a password that expires
Product overview
47
according to the local policy on the system, which might set a short span of time, such as 90 days. If the user ID does not exist, the user ID is the same as the DB2 instance name. After the password expires, a correctly configured system fails and the user who attempts an operation such as listing a keystore, or listing keys in a group, might see these messages:
CTGKM0506E Internal Database Operation error. CTGKM0900E Database connection failed on data source java:comp/env/jdbc/tklmDS
Workaround: Use these steps if the DB2 password has expired, or you want to reset the password for other reasons, such as a change of administrator: Verify that database server is up and running. Type:
set DB2INSTANCE=tlkminstance db2start
where tklminstance is a value such as tklmdb2. The database returns an informational message such as:
SQL1026N The database manager is already active.
Resolve the problem: 1. Change the password for the Tivoli Key Lifecycle Manager instance owner. a. On Windows systems, click Start > Control Panel > Administrative Tools > Computer Management > System Tools > Local Users and Groups >Users. b. Change the password for the Tivoli Key Lifecycle Manager instance owner. 2. Stop related services and change the password. On Windows systems, navigate to the services panel by clicking Start > Control Panel > Administrative Tools > Computer Management. Stop these services:
DB2-DB2-COPY1 -0 tklminstance DB2 Governor DB Remote Command Server DB2DAS - DB2DAS00
where tklminstance is a value such as tklmdb2. 3. Restart the instances that you stopped. 4. Additionally, stop and restart these services, which run as a local system account. You do not need to change their password.
Db2 License Server Db2 Management Service Db2 Security Server
5. Log in as TIPAdmin to a wsadmin session. 6. Using the wsadmin command, change the password of the WebSphere Application Server data source: a. The following command lists JAASAuthData entries:
wsadmin>print AdminConfig.list(JAASAuthData)
b. Identify the data source ID with the alias that matches the string tklm_db. Also identify the data source ID with the alias that matches the string tklmdb:
print AdminConfig.showAttribute(JAASAuthData_list_entry, alias)
48
c. Change the password of the tklm_db alias, entering this command on one line:
print AdminConfig.modify(JAASAuthData_list_entry, [[password newpassword]]
If you specify special characters in the password, use quote marks as delimiters when you specify the password value. For example, type on one line:
print AdminConfig.modify ((cells/TIPCell|security.xml#JAASAuthData_1228871756187), [[password tucs0naz]])
d. Change the password of the tklmdb alias that has the identifier JAASAuthData_1228871757843:
print AdminConfig.modify(JAASAuthData_list_entry, [[password passw0rdc]]
f. Stop and restart the Tivoli Key Lifecycle Manager server using the stopServer and startServer commands. Alternatively, stop and restart the Tivoli Key Lifecycle Manager server by using Windows Computer Management. 1) Open the Control Panel and click Administrative Tools > Computer Management > Services. 2) Stop and start the Tivoli Key Lifecycle Manager server service, which has a name like Tivoli Integrated Portal TIPProfile_Port_16310. g. Verify that you can connect to the database using the WebSphere Application Server data source. 1) First, type:
print AdminConfig.list(DataSource)
49
2) Test the connection on the first data source. For example, type:
print AdminControl.testConnection(TKLM DataSource(cells....))
3) Test the connection on the remaining data source. For example, type:
print AdminControl.testConnection (TKLM scheduler XA Datasource(cells/TIPCell/nodes/TIPNode/ servers/server1|resources.xml#DataSource_1228871766562))
4) In both cases, you receive a message that the connection to the data source was successful. For example:
WASX7217I: Connection to provided datasource was successful.
Now you can perform a Tivoli Key Lifecycle Manager operation such as listing a keystore. v Problem: At a wsadmin command prompt on a Solaris operating system, a limit to the length of a command-line entry can prevent typing a long Tivoli Key Lifecycle Manager command. For example, you cannot complete the entry of this tklmCertGenRequest command:
print AdminTask.tklmCertGenRequest ([-alias certificate_008 -cn certificate_008 -ou certification006_ou -o IBM -locality LOC_008 -state NC -validity 365 -keyStoreName "Tivoli Key Lifecycle Manager Keystore" -fileName cert8_fileName.csr -usage "SSLSERVER"])
Workaround: Write the long command as one line in a file, and execute the file as a script, in a session similar this example:
-bash-3.00# ./wsadmin.sh -f createCert.py Realm/Cell Name: <default> Username: tipadmin Password: WASX7209I: Connected to process "server1" on node TIPNode using SOAP connector; The type of process is: UnManagedProcess CTGKM0001I Command succeeded. /opt/IBM/tivoli/tiptklmV2/products/tklm/cert8x_fileName.csr -bash-3.00# cat createCert.py print AdminTask.tklmCertGenRequest([-alias certificate_008x -cn certificate_008x -ou certification006_ou -o IBM -locality LOC_008 -state NC -validity 365 -keyStoreName "Tivoli Key Lifecycle Manager Keystore" -fileName cert8x_fileName.csr -usage "SSLSERVER"]) -bash-3.00# ls -l createCert.py -rw-r--r-1 root root -bash-3.00# 262 Sep 15 13:31 createCert.py
v Problem: Although Tivoli Key Lifecycle Manager allows you to specify a key label that is up to 256 characters in length, a label that exceeds 64 characters is too long for use with encryption-capable tape drives or RAID controllers. For example, the 64character limit applies to the key label for a certificate used by a 3592 tape drive, LTO tape drive, or DS8000 Turbo drive. Workaround: Specify key labels that are 64 characters or less in length for a 3592 tape drive, LTO tape drive, or DS8000 Turbo drive. v Problem: A Tivoli Key Lifecycle Manager session remains alive on the graphical user interface, even after an extended time has elapsed. A setting for the ISC.KEEPALIVE.INTERVAL property causes the browser to ping the Tivoli Key
50
Lifecycle Manager server at a specified interval, which maintains the session. For example, the property might be set at a value of 20 minutes:
<consoleproperties:console-property id="ISC.KEEPALIVE.INTERVAL" value="20"/>
Workaround: Instead, you might want the session to time out. In the consoleProperties.xml file, disable the property. For example, specify a value of -1 (disable):
<consoleproperties:console-property id="ISC.KEEPALIVE.INTERVAL" value="-1"/>
v Problem: If significant amounts of time pass without user activity, session timeout problems can occur in initially configuring Tivoli Key Lifecycle Manager. For example, you create a master keystore. Tivoli Key Lifecycle Manager then directs you to the configuration notebook to set communication protocols and system key serving parameters. Then, an unrelated task requires your attention to another product, and you return to find that your session has timed out. You must complete the remaining updates in the configuration notebook. Workaround: To access the configuration notebook on the graphical user interface, click Tivoli Key Lifecycle Manager > Configuration. v Problem: Tivoli Key Lifecycle Manager server does not start or fails during run time. Restarting DB2 does not enable you to restart Tivoli Key Lifecycle Manager. Error messages are like this example:
aries:/opt/IBM/db2/V9.1/instance # cd /opt/IBM/tivoli/tiptklmV2/bin aries:/opt/IBM/tivoli/tip/bin # ./startServer.sh server1 ADMU0116I: Tool information is being logged in file /opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/logs/server1/startServer.log ADMU0128I: Starting tool with the TIPProfile profile ADMU3100I: Reading configuration for server: server1 ADMU3200I: Server launched. Waiting for initialization status. ADMU3011E: Server launched but failed initialization. startServer.log, SystemOut.log(or job log in zOS) and other log files under /opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/logs/server1 contains failure information
Product overview
51
Messages that indicate a problem are like this example, which shows only the first start:
[...] [11/25/08 10:53:00:435 MST] 00000026 SystemOut O TCP:New THread: group=Thread-29242Thread[Thread-29242,5,KeyManagementServerV2-Listeners] [11/25/08 10:53:34:316 MST] 00000026 SystemOut O TCP:New THread: group=Thread-29243Thread[Thread-29243,5,KeyManagementServerV2-Listeners] ************ Start Display Current Environment ************ WebSphere Platform 6.1 [embeddedEXPRESS 6.1.0.17 cf170821.07] running with process name TIPCell\TIPNode\server1 and process id 6569 Host Operating System is Linux, version 2.6.16.60-0.21-smp Java version = J2RE 1.5.0 IBM J9 2.3 Linux x86-32 j9vmxi3223-20080315 (JIT enabled) J9VM - 20080314_17962_lHdSMr JIT - 20080130_0718ifx2_r8 GC - 200802_08, Java Compiler = j9jit23, Java VM name = IBM J9 VM was.install.root = /opt/IBM/tivoli/tiptklmV2 user.install.root = /opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile Java Home = /opt/IBM/tivoli/tiptklmV2/java/jre ws.ext.dirs = /opt/IBM/tivoli/tiptklmV2/java/lib:/opt/IBM/tivoli/ tip/profiles/TIPProfile/classes:/opt/IBM/tivoli/tiptklmV2/classes: /opt/IBM/tivoli/tiptklmV2/lib:/opt/IBM/tivoli/tiptklmV2/installedChannels: /opt/IBM/tivoli/tiptklmV2/lib/ext: /opt/IBM/tivoli/tiptklmV2/web/help: /opt/IBM/tivoli/tiptklmV2/deploytool/itp/plugins/ com.ibm.etools.ejbdeploy/runtime Classpath = /opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/properties: /opt/IBM/tivoli/tiptklmV2/properties:/opt/IBM/tivoli/tiptklmV2/lib/startup.jar: /opt/IBM/tivoli/tiptklmV2/lib/bootstrap.jar:/opt/IBM/tivoli/tiptklmV2/lib/j2ee.jar: /opt/IBM/tivoli/tiptklmV2/lib/lmproxy.jar: /opt/IBM/tivoli/tiptklmV2/lib/urlprotocols.jar: /opt/IBM/tivoli/tiptklmV2/deploytool/itp/batchboot.jar: /opt/IBM/tivoli/tiptklmV2/deploytool/itp/batch2.jar: /opt/IBM/tivoli/tiptklmV2/java/lib/tools.jar Java Library path = /opt/IBM/tivoli/tiptklmV2/java/jre/bin: /opt/IBM/tivoli/tiptklmV2/bin::/usr/lib ************* End Display Current Environment ************* [11/26/08 12:04:40:695 MST] 0000000a ManagerAdmin I TRAS0017I: The startup trace state is *=info. [...] [11/26/08 12:08:59:374 MST] 0000000a RecoveryDirec I CWRLS0010I: Performing recovery processing for local WebSphere server (TIPCell\TIPNode\server1). [11/26/08 12:08:59:976 MST] 0000000a RecoveryDirec I CWRLS0012I: All persistent services have been directed to perform recovery processing for this WebSphere server (TIPCell\TIPNode\server1). [11/26/08 12:09:02:506 MST] 00000011 ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl initialize FFDC0009I: FFDC opened incident stream file /opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/logs/ffdc/ server1_00000011_08.11.26_12.09.02_0.txt [11/26/08 12:09:02:825 MST] 00000011 ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl resetIncidentStream FFDC0010I: FFDC closed incident stream file /opt/IBM/tivoli/tiptklmV2/ profiles/TIPProfile/logs/ffdc/server1_00000011_08.11.26_12.09.02_0.txt [11/26/08 12:09:02:928 MST] 00000011 MultiScopeRec A CWRLS0008E: Recovery log is being marked as failed. [ 2 transaction ] [11/26/08 12:09:02:931 MST] 00000011 MultiScopeRec I CWRLS0009E: Details of recovery log failure: com.ibm.ws.recoverylog.spi.LogCorruptedException at com.ibm.ws.recoverylog.spi.LogHandle.openLog (LogHandle.java:555) at com.ibm.ws.recoverylog.spi.MultiScopeRecoveryLog.openLog (MultiScopeRecoveryLog.java:573) at com.ibm.ws.recoverylog.spi.RecoveryLogImpl.openLog (RecoveryLogImpl.java:71) at com.ibm.ws.Transaction.JTA.RecoveryManager.run (RecoveryManager.java:2263) at java.lang.Thread.run(Thread.java:810) [...]
Workaround: Tivoli Integrated Portal might have a startup problem due to corrupted transaction logs that are a result of an operating system failure, power outage, or a Tivoli Integrated Portal failure. Later, Tivoli Integrated Portal tries to recover a failed transaction written to the log and startup fails. Remove the logs from the TIP_HOME/profiles/TIPProfile/tranlog/TIPCell/ TIPNode/server1/transaction/** directory. Then, restart Tivoli Integrated Portal.
52
v Problem: Unwanted bubble help might remain on the Tivoli Key Lifecycle Manager graphical user interface after you move the cursor over an enabled field to obtain the help display, and then continue your work. For example, you might minimize a panel, but observe that the bubble help remains visible. Workaround: To remove unwanted bubble help, take one of these steps: Open another bubble help. The previous help disappears. Log off and restart the Tivoli Key Lifecycle Manager session. v Problem: On a field that accepts date input, typing a value in the field might display bubble help that states the date format is not valid, until the full date is entered. Workaround: The temporary appearance of help information is because validation occurs as you type the date. Use the pop-up calendar, or ignore the bubble help until the full date is entered.
53
Firefox No error message appears. The device remains in the pending device list. Additional help appears on the pending device table. Workaround: Use either message format to recognize your need to correct the key name and try again. v Problem: If you add a DS5000 storage server using Tivoli Key Lifecycle Manager and Internet Explorer Version 8, you might be unable to close the Add Device dialog. Workaround: Ensure that the browser has enabled the Binary and script behaviors scripting setting under ActiveX controls and plug-ins. Take these steps: 1. Open the browser and click Tools > Internet Options > Security. 2. On the Security tab, click Custom level. 3. Scroll the list of security settings to the ActiveX controls and plug-ins options and ensure that the Binary and script behaviors setting is enabled. 4. Click OK. v Problem: When you attempt to access Tivoli Key Lifecycle Manager by specifying a server address rather than localhost, the browser displays a warning message on the login page. Subsequent pages have problems displaying the navigation bar and other information. For example, problems occur if you specify a server address such as lsc553:16316.
https://lsc553:16316/ibm/console/secure/securelogon.do
When you attempt to log in, a warning message occurs on the login page. For example:
Note: There are many convenience functions that will not be available with scripting disabled. Enable Java Script in your browser to take advantage of these functions.
Workaround: Specify an address using localhost and then log in to Tivoli Key Lifecycle Manager. For example, type:
https://localhost:16316/ibm/console/secure/securelogon.do
v Problem: When you attempt to add a self-signed certificate, the cursor might not appear, depending on the browser that you use. With some browsers, the cursor might initially appear in fields such as a required text field for character entry. However, when additional help appears for the field, the cursor no longer displays or blinks to show which field has focus. Workaround: Ignore the missing cursor. You can successfully complete the entry by typing characters in the field. v Problem: For an internal Tivoli Integrated Portal certificate, the Internet Explorer browser reports a certificate error after you install and then first log on to Tivoli Key Lifecycle Manager. Workaround: The error occurs because the owner of the internal certificate is not in the list of trusted signing authorities. Install the certificate into each browser that you use to access Tivoli Key Lifecycle Manager. To install the certificate on a browser, take these steps: 1. When you see a security alert that indicates that the company signing the certificate is not in the list of trusted companies, click View Certificate.
54
2. An additional dialog displays the host name of the Tivoli Key Lifecycle Manager server as both issued to and issues by name. 3. Install the certificate on the browser by clicking Install Certificate. Then, complete the instructions that the browser provides to install the certificate. v Problem: On the Create Backup page, you cannot type the value for a path in the field that appears when you click Browse, in a browser session using Internet Explorer version 6.0 with Service Pack 2. For example, you cannot type /opt as a value. Workaround: Use the drop-down arrow on the Browse File dialog to select the directory path.
No problem exists in matching the family type. The problem is that you attempted to specify an existing key group name. A corrected message might read:
CTGKM1129E You specified an existing key group name. Specify a different, unique key group name.
Limitation: The message content is incorrect. v Problem: Accessibility software such as the Freedom Scientific JAWS screen reader application cannot read some tables of information in the IBM Tivoli Key Lifecycle Manager Information Center. Similar tables in the graphical user interface help might have the same problem. For example, a screen reader cannot read the content of a table of status icons and their meanings in a topic about administering DS8000 storage images. Limitation: The accessibility reader provides no additional information about the text or graphical content of some tables. v Problem: An additional message would provide increased clarity after you run a successful migration from Tivoli Key Lifecycle Manager Version 1 to Version 2 and then run the migration script again. Currently, you receive these messages:
CTGKS0220I: The Tivoli Key Lifecycle Manager migration started at <timestamp> CTGKS0153I The migration program succeeded during the previous run.
However, an additional message could be provided. For example, the message might read:
Examine the TKLM_HOME/migration/migrate.log file for more information.
Limitation: No additional message is provided. v Problem: The help for the Create Key Group page erroneously specifies that a checkbox is available to create keys in a key group, and that if unchecked, an empty key group is created. Limitation: The checkbox is not present on the Create Key Group page. v Problem: When you log in to the Tivoli Key Lifecycle Manager Welcome page as the Tivoli Integrated Portal administrator, false error messages are written to error logs such as SystemOut.log. For example, a message might be:
Product overview
55
[10/6/08 11:24:14:491 CDT] 0000001d WelcomePageSe E com.ibm.isclite.service.welcomepage.WelcomePageServiceImpl configure( HttpServletRequest request ) Error getting WelcomePageService ... remainder of error message deleted in this example ....
Workaround: Ignore the error messages. The Welcome page is available for your use.
Problem determination
This section describes error locations, diagnostic steps, and other information used to identify problems and provide their solutions.
Reported errors
Tivoli Key Lifecycle Manager reports error messages that are returned in the drive sense data. The error messages are typically called fault symptom codes or FSCs and are stored in the Tivoli Key Lifecycle Manager audit log.
Table 16. Errors that are reported by Tivoli Key Lifecycle Manager Error Number EE02 Description Encryption Read Message Failure, DriverErrorNotifyParameterError, Bad ASC & ASCQ received. ASC & ASCQ does not match with either of Key Creation/Key Translation or Key Acquisition operation. Encryption logic error, Internal error, Unexpected error, Internal programming error. Encryption Read Message Failure: Internal error, Unexpected error. Encryption Configuration Problem, Errors that are related to the drive table occurred. The message received from the drive or proxy server could not be parsed because of a general error. Verify the contents of the Tivoli Key Lifecycle Manager drive table by using the key management panels on the Tivoli Key Lifecycle Manager graphical user interface, or by running the tklmDeviceList() command to verify whether the drive is correctly configured. For example, verify that the drive serial number, alias, and certificates are correct. The message received from the drive or proxy server does not match the signature on it. Action The tape drive requested an unsupported action.
EE0F
EE23
EE25
EE29
Encryption Read Message Failure: Invalid signature Encryption Read Message Failure, Internal error, Either no signature in DSK or the signature in DSK cannot be verified.
EE2B
56
Table 16. Errors that are reported by Tivoli Key Lifecycle Manager (continued) Error Number EE2C Description Encryption Read Message Failure, QueryDSKParameterError, Error parsing a QueryDSKMessage from a device. Unexpected dsk count or unexpected payload. Encryption Read Message Failure, Invalid Message Type Action The tape drive requested an unsupported function.
EE2D
The Tivoli Key Lifecycle Manager server received a message out of sequence or received a message that it does not know how to handle. The message received from the drive or proxy server does not have a valid signature type. Check the key labels that you are trying to use or that are configured for the defaults. You can list the certificates that are available to Tivoli Key Lifecycle Manager by using the tklmKeyList() command. If you know that you are trying to use the defaults, then run the tklmDeviceList() command on the Tivoli Key Lifecycle Manager server to verify whether the drive is correctly configured (for example, the drive serial number, and associated aliases/key labels are correct). If the drive in question has no associated aliases or key labels, check the values of the drive.default.alias1 and drive.default.alias2 table entry for the device group in the Tivoli Key Lifecycle Manager database. Use the tklmDeviceGroupAttributeList and tklmDeviceGroupAttributeUpdate commands to view and change the table value. Note: For DS5000 storage servers, Tivoli Key Lifecycle Manager erroneously returns an error code of EE31 when a key group runs out of keys and the stopRoundRobinKeyGrps property is enabled. The error can also occur for an LTO device group. The event is not a keystore error. To correct the problem, add more keys to the key group that is documented in the audit event.
EE2E
Encryption Read Message Failure, Internal error, Invalid signature type Encryption Configuration Problem, Errors that are related to the keystore occurred.
EE31
EE32
Tivoli Key Lifecycle Manager was unable to locate the key requested on a key for a read request made by an LTO device.
Use the LTO management panel or tklmKeyList() command to verify the existence of the requested key.
Product overview
57
Table 16. Errors that are reported by Tivoli Key Lifecycle Manager (continued) Error Number EE34 Description The key group that is configured as the system default or is assigned as a device default has run out of keys. This error can also occur if: v A device has requested a key that the device does not have permission to receive. v The requested key is assigned to a different device group. For example, an LTO device requests a key from a key group that is assigned to a user-defined LTO device group or to the DS5000 device family. EE35 This error can occur if you do not make a backup after creating new keys or certificates. See the reference topic on the backup.keycert.before.serving property. Encryption logic error, Internal error, Unexpected error: EK/EEDK flags conflict with subpage. Encryption Configuration Problem, Drive not The drive that is trying to communicate with configured. the Tivoli Key Lifecycle Manager server is not present in the drive table. Run the tklmDeviceList() command to check whether the drive is in the list. If not, configure the drive manually by using the tklmDeviceAdd() command with the correct drive information or set the device.AutoPendingAutoDiscovery attribute to an appropriate value using the tklmDeviceGroupAttributeUpdate command. Back up newly-created keys or certificates. Action Tivoli Key Lifecycle Manager is configured to not reuse keys in key groups and one of the key groups has run out of keys. Use the LTO management panel to add more keys to this group.
EEE1
EF01
Audit files
Tivoli Key Lifecycle Manager has a default directory for audit data. The location depends on which operating system is used: Distributed systems In the TKLM_HOME/config/TKLMgrConfig.properties file, edit the Audit.handler.file.name property to set this directory. The default is:
Audit.handler.file.name=logs/audit/tklm_audit.log
Intended audience
This information center is designed for the system and security administrators in an organization that uses Tivoli Key Lifecycle Manager.
58
Readers are expected to understand system and security administration concepts. Additionally, the readers must understand administration concepts for these types of products: v Database servers v Web application servers
Publications
Read the descriptions of the product library and the related publications to determine which publications you might find helpful. After you determine the publications you need, see the instructions for accessing publications online.
Related publications
You can obtain related publications from these IBM Web sites. v The Tivoli Integrated Portal information center is available at http://publib.boulder.ibm.com/infocenter/tivihelp/v15r1/topic/ com.ibm.tip.doc/welcome_tip_ic.htm. v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, data sheets, demonstrations, IBM Redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html v The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology Web site at the following Web address: http://www.ibm.com/software/globalization/terminology
Product overview
59
IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli Documentation Central Web site at http://www.ibm.com/tivoli/documentation. Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you click File Print). You can also locate publications at http://www.elink.ibmlink.ibm.com/ publications/servlet/pbi.wss.
Ordering publications
You can order many Tivoli publications online or by telephone. You can order publications from http://www.elink.ibmlink.ibm.com/public/ applications/publications/cgibin/pbi.cgi. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968 In other countries, see the Web site http://www.elink.ibmlink.ibm.com/public/ applications/publications/cgibin/pbi.cgi.
Support information
If you have a problem with your IBM software, you want to resolve it quickly.
Typeface conventions
This information uses these typeface conventions. Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets) v Keywords and parameters in text italic
60
v v v v
Words defined in text Emphasis of words (words as words) New terms in text (except in a definition list) Variables and values you must provide
Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options
Product overview
61
Table 17. HOME and other directory variables (continued) Directory variable TIP_HOME Default definition Windows drive:\IBM\tivoli\tiptklmV2 Linux, AIX, and Solaris path/IBM/tivoli/tiptklmV2 For example: /opt/IBM/tivoli/tiptklmV2 Do not embed spaces in the TIP_HOME installation path or directory name. TKLM_HOME Windows TIP_HOME\products\tklm Linux, AIX, and Solaris TIP_HOME/products/tklm TKLM_UNINSTALL_HOME Windows TIP_HOME\_uninst\TIPInstall Linux, AIX, and Solaris TIP_HOME/_uninst/TIPInstall The directory that contains the Tivoli Key Lifecycle Manager uninstallation program information. The Tivoli Key Lifecycle Manager home directory. Description The Tivoli Integrated Portal home directory.
62
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
63
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 USA Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. Intel is a trademark of Intel Corporation in the United States, other countries, or both.
64
Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.
Other company, product, or service names may be trademarks or service marks of others.
Notices
65
66
B
backup and restore configuration files 30 database 30 keystore 30 klmBackupRestoreGroup 10 known state 31 overview 20, 30 security backup file, do not edit 31 password 31 BRCD_ENCRYPTOR device group browser Firefox 38 Internet Explorer 38 problems, workarounds 53 bufferpool settings, DB2 38
Numerics
3592 device group 12 encryption 25
12
A
active, state 18 administrator DB2 Database 2 groups 11 klmBackupRestoreGroup 10 klmSecurityOfficer 10 limiting available tasks 10 LTOAdmin 12 LTOAuditor 12 LTOOperator 12 password authority to reset 9 resetting 9 password policy, changing 7 password, changing 8 predefined groups 10 protected objects 11 roles 11 TIPAdmin 10 Tivoli Integrated Portal 2 Tivoli Key Lifecycle Manager 2 TKLMAdmin 10 TKLMAdmin user ID 10 Advanced Encryption Standard 25 AES keys, encryption 25, 26, 27, 28 AIX, requirements 31 asymmetric keys 25 audience 59 audit Audit.handler.file.name 58 Common Base Event (CBE) format 21 log 56, 58 overview 21 W7 format 21 Audit.handler.file.name, property 56, 58 authority SYSADM for database 37 SYSCTRL for database 37
C
component DB2 29 embedded WebSphere Application Server 29 replica server 30 Tivoli Key Lifecycle Manager server 29 compromised, state 18 configuration files, backup and restore 30 conventions, typeface 60 corruption, backup file 31 cryptographic 22
E
encryption 3592 tape drive 25 AES keys 25 key 256-bit AES standard 21, 26, 27, 28 asymmetric 21, 25 symmetric 26, 27, 28 LTO tape drive 25 management 3592 tape drive 25 DS5000 28 DS8000 27 LTO tape drive 26, 27 Tivoli Key Lifecycle Manager reported errors 56 error Audit.handler.file.name property 56 message audit log 56 stderr 56 Tivoli Key Lifecycle Manager reported 56
D
database backup and restore 30 replica server, same as primary 30 requirement, distributed systems 37 SYSADM, SYSCTRL, or SYSMAINT authority 37 DB2 bufferpool settings 38 documentation Web sites 37 kernel settings 37 levels on operating systems 31 tklmdb2 instance name 2 instance owner 2 deployment DB2 29 embedded WebSphere Application Server 29 replica server 30
67
free disk space (continued) /tmp directory 33 /usr directory 33 \temp directory 33 replica server 30
F
features 3592 tape drive 20 audit 21 auto-pending device 17 backup and restore 20 BRCD_ENCRYPTOR device 17 certificate, additional for DS8000 Turbo drives 17 concurrent administration 17 DS5000 storage servers 17 Internet Key Exchange 17 key deployment 18 group 18 metadata 18 states 18 Key Management Interoperability Protocol 17 keystore 19 keystore types 19, 39 LTO tape drive 20 ONESECURE device 17 overview 3592 tape drive 20 audit 21 backup and restore 20, 30 component deployment 29 disk drives 20 DS5000 storage server 20 DS8000 Turbo drive 20 encryption, keys 21 FIPS 22 key deployment 18 key group 18 key metadata 18 key states 18 keystore 19 keystore types 19, 39 KMIP 23 LTO tape drive 20 replica server 30 roles 12, 15 tape drives 20 role-based access 17 serial number, variable length 17 symmetric keys, DS5000 storage servers 17 trusted certificate, management 17 FIPS IBMJCEFIPS cryptographic provider 22 requirement 22 Firefox browser 38 fix packs operating system support 31 Passport Advantage 40 fixes, replica server same as primary 30 free disk space /home directory 33 /opt directory 33
H
hardware minimum values 33 requirements disk space 33 processor speed 33 system memory 33
klmDelete permission 12 klmGet permission 12 klmModify permission 12 klmRestore permission 12 klmSecurityOfficer 10 klmSecurityOfficerGroup 12 klmView permission 12 KMIPListener.ssl.port, property
23
L
limitations browser 53 documentation 55 installation and removal 40 Tivoli Integrated Portal 53 Tivoli Key Lifecycle Manager server 42 Linux packages 33 requirements 31 Security Enhanced Linux (SELINUX), disabling 33 log audit 56, 58 stderr 56 login multiple browser sessions 6 port number 2 Tivoli Integrated Portal port 2 URL 2 user ID and password 2 LTO device group 12 encryption 25, 26, 27 LTOAdmin 12 LTOAuditor 12 LTOOperator 12
I
IBMJCEFIPS cryptographic provider 22 images installation instructions 40 Passport Advantage 40 initial user ID and password 2 installation images fix packs 40 Passport Advantage 40 installation and configuration guide, publication 59 problems, workarounds 40 instance name, tklmdb2 2 owner, tklmdb2 2 Internet Explorer browser 38
J
Java Runtime Environment, requirement 36 JCEKS, keystore type 19, 39
M
message audit log 56 stderr 56 metadata, key 18
K
kernel settings for DB2 37 key deployment overview 18 encryption 21 group overview 18 metadata overview 18 states active 18 compromised 18 pending 18 symmetric 21 keystore backup and restore 30 flat file 19 JCEKS 19, 39 overview 19 restricted area, security 19 klmAdminDeviceGroup permission klmAudit permission 12 klmBackup permission 12 klmBackupRestoreGroup 10, 12 klmConfigure permission 12 klmCreate permission 12
O
ONESECURE device group 12 operating system AIX 31 DB2 levels 31 Linux packages 33 RedHat Linux 31 replica server, same as primary 30 Sun Server Solaris 31 SuSE Linux 31 Windows 31 ordering publications 60 overview backup and restore 20 features audit 21 backup and restore 20, 30 component deployment 29 FIPS 22
12
68
overview (continued) features (continued) key deployment 18 key encryption 21 key group 18 key metadata 18 key states 18 keystore 19 keystore types 39 replica server 30 roles 12, 15 tape drives 20 product 1 overview, keystore types 19
P
Passport Advantage, installation images 40 password administrator, resetting 9 authority to reset 9 backup before reset 9 backup file 31 initial login 2 policy 6 strength 6 patches, replica server same as primary 30 PDF, printing 59 pending, state 18 permissions klmAdminDeviceGroup 12 klmAudit 12 klmBackup 12 klmConfigure 12 klmCreate 12 klmDelete 12 klmGet 12 klmModify 12 klmRestore 12 klmView 12 port installation default 2 number http address 2 https address 2 tklmadmin.html file 2 problems browser 53 documentation 55 encryption 56 installation and removal 40 Tivoli Integrated Portal 53 Tivoli Key Lifecycle Manager server 42 processor speed, requirements 33 product features auto-pending device 17 BRCD_ENCRYPTOR device 17 certificate, additional for DS8000 Turbo drives 17 concurrent administration 17 DS5000 storage servers 17 Internet Key Exchange 17
product (continued) features (continued) Key Management Interoperability Protocol 17 ONESECURE device 17 role-based access 17 serial number, variable length 17 symmetric keys, DS5000 storage servers 17 trusted certificate, management 17 installation, problems and workarounds 40 overview 1 removal, problems and workarounds 40 property Audit.handler.file.name 56 backup.keycert.before.serving 56 fips 1 KMIPListener.ssl.port 23 TransportListener.ssl.timeout 23 publications installation and configuration guide 59 ordering 60 printing as PDF 59 quick start guide 59 related 59 support information 60 Tivoli software library 59 typeface conventions 60
requirements (continued) RedHat Linux 31 runtime environment 36 software 31, 33 Sun Server Solaris 31 SuSE Linux 31 Tivoli Integrated Portal 36 WebSphere Application Server 36 Windows 31 roles suppressmonitor 12 Tivoli Common Reporting 16 Tivoli Integrated Portal 16 Tivoli Integrated Portal charting 16
S
security audit log Common Base Event (CBE) specification 21 backup file corrupt if edited 31 password 31 restore 31 compromised key state 18 FIPS 22 object such as report set 16 Security Enhanced Linux (SELINUX), disabling 33 Tivoli Common Reporting 16 Security Enhanced Linux (SELINUX), disabling 33 session browser cookies 38 JavaScript 38 supported 38 wsadmin, using Jython 8 software AIX 31 DB2 levels 31 Linux packages 33 RedHat Linux 31 requirements 31, 33 Sun Server Solaris 31 SuSE Linux 31 Windows 31 software library, Tivoli 59 states active 18 compromised 18 pending 18 stderr 56 strength, password 6 Sun Server Solaris, requirements 31 support, locating 60 suppressmonitor role 12 SuSE Linux, requirements 31 SYSADM authority, database 37 SYSCTRL authority, database 37 SYSMAINT authority, database 37 system memory, requirements 33
Q
quick start guide, publication 59
R
RedHat Linux, requirements 31 replica server deployment 30 requirements database 30 free disk space 30 operating system 30 Tivoli Key Lifecycle Manager server 30 requirements AIX 31 browser Firefox 38 Internet Explorer 38 cryptographic 22 database 37 DB2 levels 31 FIPS 22 fix pack 31 hardware disk space 33 processor speed 33 system memory 33 Java Runtime Environment 36 Linux packages 33 precedence over any other mention 31
Index
69
T
tape drives 3592 tape drive 20 LTO tape drive 20 overview 20 TIPAdmin 2, 10 Tivoli Integrated Portal problems, workarounds 53 Tivoli Key Lifecycle Manager reported errors 56 server problems, workarounds 42 TKLM_HOME, default directory 61 TKLM_UNINSTALL_HOME, default directory 61 TKLMAdmin 2, 10 tklmdb2 instance name 2 instance owner 2 training, Web site address 60 TransportListener.ssl.timeout, property 23 Triple DES keys, encryption 26, 27, 28 TS3592, device family 12
typeface conventions
60
U
user groups klmBackupRestoreGroup 12 klmSecurityOfficerGroup 12 LTOAdmin 12 LTOAuditor 12 LTOOperator 12 user ID initial login 2 Tivoli Integrated Portal administrator 2 Tivoli Key Lifecycle Manager administrator 2
W
W7 format, mapping from CBE format 21 what is new auto-pending device 1
what is new (continued) BRCD_ENCRYPTOR device 1 certificate, additional for DS8000 Turbo drives 1 concurrent administration 1 DS5000 storage servers 1 Internet Key Exchange 1 Key Management Interoperability Protocol 1 ONESECURE device 1 role-based access 1 serial number, variable length 1 symmetric keys, DS5000 storage servers 1 trusted certificate, management 1 Windows, requirements 31 workarounds browser 53 documentation 55 installation and removal 40 Tivoli Integrated Portal 53 Tivoli Key Lifecycle Manager server 42
70