<<<<<<< HEAD Change External Key Manager (CHGEKM) ======= Work with External Key Managers >>>>>>> bf4407dbacde8ffd1f4ff8c70c945e5db0feb2b8

Change External Key Manager (CHGEKM)

The Change External Key Manager (CHGEKM) command allows authorized users to change the properties for an EKM entry.

The following users can utilize this command:

QSECOFR user profile (unless excluded in the Key Officer settings)
A user profile with *SECADM authority (unless excluded in the Key Officer settings)
A Key Officer that has a *YES specified for the “Maintain key policy and alerts” authority setting

External key manager . . VORMETRIC KEY MGR

Key manager type . . . . *VORMETRIC *CRYPTO, *KMIP, *SAFENET, *VORMETRIC

Server host . . . . . . XXX.XXX.X.XX

Alternate Server host . XXX.XXX.X.XX

Port . . . . . . . . . . 08445 1-65534

User profile . . . . . . linoma

Password . . . . . . . . ******

Domain name . . . . . .

Use SSL . . . . . . . . *YES *YES, *NO

Application id . . . . .

Screen Example: CHGEKM Command with Sample Values

Change External Key Manager (CHGEKM)

External key manager . . . . . . VORMETRIC KEY MGR

Key manager type . . . . . . . . *VORMETRIC *CRYPTO, *KMIP, *SAFENET, *VORMETRIC

Server host . . . . . . . . . . XXX.XXX.X.XX

Port . . . . . . . . . . . . . . 08445 1-65534

Alternate Server host . . . . XXX.XXX.X.XX

User profile . . . . . . . . . . linoma

Password . . . . . . . . . . . . ******

Domain name . . . . . . . . . .

Use SSL . . . . . . . . . . . . *YES *YES, *NO

Application id . . . . . . . . .

Screen Example: CHGEKM Command with Sample Values

How to Get There

From the External Key Manager Menu, choose option 3. Or, submit the command CHGEKM.

Options

Manager id (EKMGRID)

Indicate the unique name of the entry up to 30 characters.

Rules for key manager identifier:

The key manager identifier is a descriptive name.
The key manager identifier cannot contain spaces or certain special characters.
The key manager identifier can contain underscore characters.
The key manager identifier is not case sensitive. It will be stored in upper case.

Manager type (MGRTYPE)

Indicate the type of External Key Manager (EKM).

The possible values are:

*CRYPTO

Utilize the Powertech Encryption key management solution.

*KMIP

Utilize a Key Server that works with the Key Management Interoperability Protocol (KMIP) standard.

*SAFENET

Utilize the SafeNet key management solution.

*VORMETRIC

Utilize the Vormetric key management solution.

Server host (SRVHost)

Specify the host name or IP address of the External Key Manager.

Alternate Server host (ALTSRVHOST)

Specify the alternate host name or IP address of the External Key Manager.

The Server Host (SRVHOST) will be used first when connecting to the External Key Manager. If the connection attempt fails and the operation is a retrieve key or verify host operation then the Alternate Server Host (ALTSRVHOST) will be used for the second connection attempt. If the second connection attempt fails then an error message will be returned to the caller.

A create key operation will not use the Alternate Server Host.

Server port (SRVPORT)

Specify the port to use to connect to the External Key Manager.

User profile (USER)

Specify the User profile for signing in to the External Key Manager.

User password (PASSWORD)

Specify the password to sign into the External Key Manager.

Domain (DOMAIN)

If the key manager type is *VORMETRIC, then specify the domain name of the external key server.

Use SSL (SSL)

Indicate if Secure Sockets Layer (SSL) encrpytion should be used to connect to the external key manager.

The possible values are:

*YES

Use SSL to connect to the external key manager.

*NO

Do not use SSL to connect to the external key manager.

Applcation Id (APPID)

When using an SSL connection, optionally specify the Application id from the IBM i Digital Key Manager that links to the certificate to use.

KMIP connection type (KMIPCONTYP)

Indicate the type of connection to use to connect to the KMIP server.

The possible values are:

*HTTP

HTTPS posts will be used when communicating with the KMIP server.

*TCP

SSL over TCP will be used when communicating with the KMIP server.

KMIP encoding method (KMIPENCMTH)

Indicate the encoding method to use when communicating with the KMIP server.

The possible values are:

*XML

XML encoding will be used to communicate with the KMIP server.

XML can only be used with KMIP connection type of HTTPS.

*TTLV

TTLV encoding will be used to communicate with the KMIP server.

TTLV can be used with either TCP or HTTP communication types.