Guidelines And Requirements For Key Server Management; Exporting And Importing Keys Between Key Server Instances - IBM DS8800 Introduction And Planning Manual

For the latest available encryption-related best practices and guidelines, go to the
IBM Support website at: www.ibm.com/support/entry/portal/
docdisplay?lndocid=MIGR-5081492

Guidelines and requirements for key server management

Ensure that you are aware of the guidelines and requirements for managing your
key servers.
The following guidelines and requirements apply:
v You are responsible for maintaining the physical and logical security of key
servers.
v You are responsible for maintaining synchronization of keystores between key
servers and for backup of keystore information.
v Back up the key server any time new keys are created that are to be maintained
by the key server. Ensure that you perform a backup before these new keys are
used by any client storage devices. For example, before the device is configured
to communicate with the key server to request data keys for the associated key
label.
v If you provide more than one type of key server, you must use the key export
method to transfer keys between heterogeneous key server types. Backup and
restore methods can be used between homogeneous key servers.

Exporting and importing keys between key server instances

If you have key servers with different operating systems, you must use the Tivoli
Key Lifecycle Manager export method to transfer keys between key server
instances.
This task provides the steps to use Tivoli Key Lifecycle Manager to export and
import files between key server instances. For more information about Tivoli Key
Lifecycle Manager, go to the Tivoli Key Lifecycle Manager section at the IBM Tivoli
Information Center .
Perform the following steps to transfer keys:
1. To list all of the known DS8000 devices, run the tklmDeviceList command
with the -type parameter set to DS8K and the -v parameter set to y. The
following is an example of the command and output:
wsadmin>print AdminTask.tklmDeviceList ('[-type DS8K] [–v y]')
CTGKM0001I Command succeeded.
Description = salesDivisionDrive
Serial Number = CCCB31403AFF
Device uuid = DEVICE-5023fd36-cf2a-4406-80cc-fc2ed4065460
Device type = DS8K
World wide name = 61041
Key alias 1 = certb Key
alias 2 = certb
2. Issue the tklmServedDataList command to list all the keys that have been
served to all devices.
3. Compare the command output from step 1 and step 2.
4. Record alias 1.
5. Verify that this alias is associated with the device. If it is not associated with
the device, record the alias that is associated with the device.
6. Repeat steps 3 to 5 until all drive serial numbers and aliases have been
recorded.
Chapter 3. Data management features
85