Add External Key Manager Entry (ADDEKM)

The Add External Key Manager (ADDEKM) command allows authorized users to define the properties for an External Key Manager (EKM). After the EKM is added, you can then use the CRTSYMKEY command to create an entry that refers to a remote key within that EKM.

NOTE: Any maintenance to the External Key Managers is logged into an audit file.

The following users can use this command:

QSECOFR user profile (unless excluded in the Key Officer settings)
A user profile with *SECADM authority (unless excluded in the Key Officer settings)
A Key Officer that has a *YES specified for the “Maintain key policy and alerts” authority setting

How to Get There

From the External Key Manager Menu, choose option 2. Or, submit the command ADDEKM.

Options

Manager id (EKMGRID)

Indicate the unique name of the entry up to 30 characters.

Rules for key manager identifier:

The key manager identifier is a descriptive name.
The key manager identifier cannot contain spaces or certain special characters.
The key manager identifier can contain underscore characters.
The key manager identifier is not case sensitive. It will be stored in upper case.

Manager type (MGRTYPE)

Indicate the type of External Key Manager (EKM).

The possible values are:

*CRYPTO Utilize the Powertech Encryption key management solution.

*KMIP Utilize a Key Server that works with the Key Management Interoperability Protocol (KMIP) standard.

*SAFENET Utilize the SafeNet key management solution.

*VORMETRIC Utilize the Vormetric key managment solution.

Server host (SRVHOST)

Specify the host name or IP address of the External Key Manager.

Alternate Server host (ALTSRVHOST)

Specify the alternate host name or IP address of the External Key Manager.

The Server Host (SRVHOST) will be used first when connecting to the External Key Manager. If the connection attempt fails and the operation is a retrieve key or Verify host operation then the Alternate Server Host (ALTSRVHOST) will be used for the second connection attempt. If the second connection attempt fails then an error message will be returned to the caller.

A create key operation will not use the Alternate Server Host.

Server port (SRVPORT)

Specify the port to use to connect to the External Key Manager.

User profile (USER)

Specify the User profile for signing in to the External Key Manager.

User password (PASSWORD)

Specify the password to sign into the External Key Manager.

Domain (DOMAIN)

If the key manager type is *VORMETRIC, then specify the domain name of the external key server.

Use SSL (SSL)

Indicate if Secure Sockets Layer (SSL) encrpytion should be used to connect to the external key manager.

The possible values are:

*YES Use SSL to connect to the external key manager.

*NO Do not use SSL to connect to the external key manager.

Applcation Id (APPID)

When using an SSL connection, optionally specify the Application id from the IBM i Digital Key Manager that links to the certificate to use.

KMIP connection type (KMIPCONTYP)

Indicate the type of connection to use to connect to the KMIP server.

The possible values are:

*HTTP HTTPS posts will be used when communicating with the KMIP server.

*TCP SSL over TCP will be used when communicating with the KMIP server.

KMIP encoding method (KMIPENCMTH)

Indicate the encoding method to use when communicating with the KMIP server.

The possible values are:

*XML XML encoding will be used to communicate with the KMIP server. XML can only be used with KMIP connection type of HTTPS.

*TTLV TTLV encoding will be used to communicate with the KMIP server. TTLV can be used with either TCP or HTTP communication types.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.0 | 202307100156 | July 2023