keysvrmgr Command

Edit online

Purpose

Manages the Object Data Manager (ODM) database entries that are associated with the encryption key server when the logical volume uses the key server key-protection method for encryption.

Syntax

keysvrmgr action [-h] [flags]

Description

An encryption key server is used to securely store encryption key information. The access to the encryption key server is secured by certificate exchanges between the client and the server. When a logical volume (LV) uses the key server key-protection method for encryption, the information about the encryption key server is stored in the ODM database. You can use the keysvrmgr command to manage the ODM database entries that are associated with the encryption key server.

Starting from IBM® AIX® 7.2 with Technology Level 5, you can run the keysvrmgr command by specifying the action parameter to perform one of the following operations:
  • add: Adds a key server entry
  • modify: Modifies an existing key server entry
  • remove: Removes a key server entry
  • show: Displays information about the key server entry

action parameters

add
Syntax: 
keysvrmgr add [-h] -i server_ip [-p server_port] [-g sklm_device_group] -s server_cert_path -c client_cert_path [-P type] server_id
Adds a key server entry to the ODM database. This action parameter can be specified with the following flags:
-i
Specifies the IP address of the encryption key server in the following format: 
a.b.c.d
where each value of a, b, c, and d are in the range 0 - 255.
-p
(Optional) Specifies the port of the encryption key server. You can specify a port value in the range 0 – 65535. The default value is 5696.
-g
(Optional) Specifies the device group name associated with IBM Security Key Lifecycle Manager.
-s
Specifies the absolute path to the X.509 server certificate associated with the encryption key server.
-c
Specifies the absolute path of the Public Key Cryptography Standards #12 (PKCS #12) client certificate associated with your system.
-P
Specifies the type of password protection for the client certificate. You can specify the following values for this flag:
  • y|Y – The password of the client certificate will be prompted during the command run time.
  • n|N – The client certificate is not protected by a password. This is the default value.
  • p|P – The password of the client certificate is stored in platform keystore (PKS).
server_id
Specifies the ID of the encryption key server entry that you want to create in the following format: 
server_name[:device_group]
where server_name is the name of the key server entry and device_group is the name of the device group associated with IBM Security Key Lifecycle Manager.
modify
Syntax: 
keysvrmgr modify [-h] -i server_ip [-p server_port] [-s server_cert_path] [-c client_cert_path] [-P type] server_id
Modifies an existing key server entry in the ODM database. This action parameter can be specified with the following flags and values:
-i
Specifies the IP address of the encryption key server in the following format:
a.b.c.d
where each value of a, b, c, and d are in the range 0 - 255.
-p
(Optional) Specifies the port of the encryption key server. You can specify a port value in the range 0 – 65535. The default value is 5696.
-s
Specifies the absolute path to the X.509 server certificate associated with the encryption key server.
-c
Specifies the absolute path of the PKCS #12 client certificate associated with your system.
-P
Specifies the type of password protection for the client certificate. You can specify the following values for this flag:
  • y|Y – The password of the client certificate will be prompted during the command run time.
  • n|N – The client certificate is not protected by a password. This is the default value.
  • p|P – The password of the client certificate is stored in platform keystore (PKS).
server_id
Specifies the ID of the key server entry that you want to modify in the following format: 
server_name[:device_group]
where server_name is the name of the encryption key server and device_group is the name of the device group associated with IBM Security Key Lifecycle Manager.
remove
Syntax: 
keysvrmgr remove [-h] server_id
Removes a key server entry from the ODM database. You must specify the ID of the key server entry that you want to remove from the ODM database.
show
Syntax: 
keysvrmgr show [-h] server_id
Displays information about the specified key server ID.

Examples

  • To display information about the existing key server entries in the ODM database, run the following command:
    # keysvrmgr show   
List of key servers: 
ID                          PWD     IP:PORT
sklm1                       Y       10.11.12.13:5696
sklm_server2                N       210.211.212.213:569

Files

/usr/sbin/keysvrmgr
Contains the keysvrmgr command.