Configuring compliance for FIPS in IBM Security Guardium Key Lifecycle Manager

You can turn on FIPS for IBM® Security Guardium® Key Lifecycle Manager so that all cryptographic operations use the IBMJCEPlusFIPS provider, which is FIPS 140-2 certified.

About this task

In IBM Security Guardium Key Lifecycle Manager, you can enable and disable FIPS compliance by using the Update Security Configurations REST Service.

Procedure

  • Enable FIPS compliance
    1. Open a REST client.
    2. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Run the Update Security Configurations REST Service to set the FIPS property to on in the SKLMConfig.properties configuration file. Pass the user authentication identifier that you obtained in Step 2 along with the request message, as shown in the following example: 
      POST https://localhost:port/SKLM/rest/v1/ckms/securityConfigurations/update
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{ "FIPS" : "on"}
    4. Restart the IBM Security Guardium Key Lifecycle Manager server. For more information, see Restarting the Guardium Key Lifecycle Manager server.
  • Disable FIPS compliance
    1. Open a REST client.
    2. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Run the Update Security Configurations REST Service to set the FIPS property to off in the SKLMConfig.properties configuration file. Pass the user authentication identifier that you obtained in Step 2 along with the request message, as shown in the following example: 
      POST https://localhost:port/SKLM/rest/v1/ckms/securityConfigurations/update
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{ "FIPS" : "off"}
    4. Restart the IBM Security Guardium Key Lifecycle Manager server. For more information, see Restarting the Guardium Key Lifecycle Manager server.