Product Documentation
Abstract
This page contains answers to some frequently asked questions (FAQ) about IBM Security Guardium Key Lifecycle Manager.
Content
General
Is IBM Security Guardium Key Lifecycle Manager a virtual appliance? Is it encrypted?
No, IBM Security Guardium Key Lifecycle Manager is not an appliance. It is not encrypted.
Is the Db2 database deployed separately and not on the same computer as IBM Security Guardium Key Lifecycle Manager?
No, Db2 database can be on the same computer as IBM Security Guardium Key Lifecycle Manager.
Where are the keys stored in IBM Security Guardium Key Lifecycle Manager? What security controls are available around it?
IBM Security Guardium Key Lifecycle Manager has two layers of encryption:
- Data key: To encrypt data
- Master key: To encrypt the data keys
All data keys are stored in the Db2 database. These data keys are encrypted by a master key before they are stored. The master key can be stored in a Java keystore (default) or in HSM. You can rotate or refresh the master key. For more information, see Master key REST service.
How many users exist in IBM Security Guardium Key Lifecycle Manager?
For V4.1 and earlier versions: By default, IBM Security Guardium Key Lifecycle Manager creates two users: wasadmin and SKLMAdmin.
For V4.1.1: By default, only one user is created: SKLMAdmin.
What privileges are associated with the users in IBM Security Guardium Key Lifecycle Manager?
For the user privileges, see Administering groups, users, and roles.
Does IBM Security Guardium Key Lifecycle Manager allow LDAP and OIDC integration? If yes, how do we do it?
Yes. For more information, see Configuring user authentication.
Can I use both a client certificate and user credentials (username and password) for KMIP authentication?
Yes. You can use both. To enable the validation of user credentials, add the kmipAuthNeeded=true config property in SKLMConfig.properties. For more information, see kmipAuthNeeded.
How keys are reconciled between IBM Security Guardium Key Lifecycle Manager and other KMIP clients to check integrity?
The keys are automatically reconciled by Db2.
What are the prerequisites to upgrade IBM Security Guardium Key Lifecycle Manager?
See the Upgrading and migrating section of the applicable version.
Where are the client certificates and keys stored in IBM Security Guardium Key Lifecycle Manager?
The client certificates and keys are stored in the Db2 database.
What are the prerequisites to integrate IBM Security Guardium Key Lifecycle Manager with the vCenter?
Check the vCenter and IBM Security Guardium Key Lifecycle Manager versions as given in VMware Compatibility Guide.
Can I migrate vSphere VSAN from KeySecure to IBM Security Guardium Key Lifecycle Manager without decrypting?
IBM Security Guardium Key Lifecycle Manager is a certified KMS for VSAN encryption. VMware enables you to migrate from one key management system (KMS) to another. For more information, see VMware documentation.
Does IBM Security Guardium Key Lifecycle Manager cache keys in the memory? If yes, how does IBM Security Guardium Key Lifecycle Manager make sure the keys are protected in the cache and are not susceptible to any attacks?
IBM Security Guardium Key Lifecycle Manager does not cache any key in the memory.
How to update Db2 database password in IBM Security Guardium Key Lifecycle Manager?
See Updating the database password.
For 4.1 and 4.0: After you update the WebSphere Application Server administrator (WASAdmin) password in the WebSphere Application Server Administrative Console, Db2 password update fails. To resolve this issue, see Db2 password update fails after updating the WASAdmin password.
Does IBM Security Guardium Key Lifecycle Manager support command-line interface?
For V4.1 and earlier versions: Yes. See Command-line interface.
For V4.1.1: No, command-line interface is no longer available. You can use GUI or REST. See CLI command and REST service mapping.
Where does IBM Security Guardium Key Lifecycle Manager store the logs?
Windows:
- For V4.1.1: drive:\Program Files\IBM\WebSphere\Liberty\bin
- For V4.1 and earlier versions: drive:\Program Files\IBM\WebSphere\AppServer\bin
Linux:
- For V4.1.1: /opt/IBM/WebSphere/Liberty/products/sklm/logs/
- For V4.1 and earlier versions: /opt/IBM/WebSphere/AppServer/products/sklm/logs/
The audit logs are stored in the audit folder under the same path.
What activity logs are captured and forwarded to the syslog server?
If the syslog format is configured, then all the records created in the audit folder are forwarded to the syslog server. Some examples of the audit record type are authentication, authorization, and runtime. For more information, see Audited events.
Does IBM Security Guardium Key Lifecycle Manager support log forwarding? If yes, what port does it use?
Yes. For more information, see Specifying levels of audit information.
How does IBM Security Guardium Key Lifecycle Manager balance or manage high load?
IBM Security Guardium Key Lifecycle Manager does not provide load balancing. If you have specific requirements, contact IBM Support.
Which ports and protocols are used to communicate with vCenter, HSM server, and other storage devices?
For KMIP clients such as vCenter, IBM Security Guardium Key Lifecycle Manager listens to the 5696 port for requests. It establishes connection with KMIP clients over TLS connection. For more information, see KMIP client configuration.
For IPP clients, IBM Security Guardium Key Lifecycle Manager listens to 3801 for non-SSL connection and 1441 for SSL connection. To connect to HSM server, IBM Security Guardium Key Lifecycle Manager uses HSM client.
The in-use protocols and ports are listed under Available Protocols on the IBM Security Guardium Key Lifecycle Manager GUI.
Does IBM Security Guardium Key Lifecycle Manager support Shallow Rekey and Deep Rekey for its KEK's and MKEK?
Yes.
Does IBM Security Guardium Key Lifecycle Manager support Network Interface Card (NIC) bonding on RHEL 8.x?
Yes. IBM Security Guardium Key Lifecycle Manager supports NIC bonding for failover on RHEL 8.x in active-backup mode.
Hardware Security Module (HSM)
What are the prerequisites to integrate IBM Security Guardium Key Lifecycle Manager with the HSMs?
How many HSMs can be used with an IBM Security Guardium Key Lifecycle Manager server?
You can configure only one HSM with an IBM Security Guardium Key Lifecycle Manager server. You can use multiple HSMs for resiliency if the HSM vendor supports it. However, IBM Security Guardium Key Lifecycle Manager does not connect to the backup HSM server automatically.
Does IBM Security Guardium Key Lifecycle Manager need to communicate with HSM every time a key is requested by the client?
Yes.
Do all the nodes in a IBM Security Guardium Key Lifecycle Manager cluster point to the same HSM?
Yes. For more information, see Hardware Security Module usage in IBM Security Guardium Key Lifecycle Manager.
When HSM is used for master key management, does IBM Security Guardium Key Lifecycle Manager need to be permanently connected to the HSM during steady state operations, or is a connection required only when the IBM Security Guardium Key Lifecycle Manager server starts?
Yes, IBM Security Guardium Key Lifecycle Manager must be connected to the HSM all the time. IBM Security Guardium Key Lifecycle Manager communicates with the HSM for every key create and key get request. HSM does not transfer or share the master key with IBM Security Guardium Key Lifecycle Manager. Therefore, IBM Security Guardium Key Lifecycle Manager cannot cache the key.
Which software versions of Gemalto HSM are supported by IBM Security Guardium Key Lifecycle Manager?
See Support matrix.
Does IBM Security Guardium Key Lifecycle Manager support SafeNet Luna cards?
Yes. IBM Security Guardium Key Lifecycle Manager uses the IBM PKCS11 Cryptographic Provider, and supports the cryptographic cards that the provider supports, which includes the SafeNet Luna SA cards. For more information, see Support Matrix.
Multi-Master Cluster
Can we span a Multi-Master cluster over two data centers?
Yes, but not recommended. Ideally all data centers must have their own Multi-Master clusters. Network issues can cause performance issues between two data centers.
Does a KMIP client need to be modified and tested to support the Multi-Master feature?
No. You do not need to modify any KMIP client to use the Multi-Master feature. Some of the supported KMIP clients are MDE, VSAN, V7000, Spectrum Accelerate/XIV and Lenovo X Series SEDs in SoftLayer.
Do we need to create continuous backup of the IBM Security Guardium Key Lifecycle Manager data?
No. A Multi-Master cluster ensures that keys are synchronized from the primary master server to the standby master servers in real time. Hence, you do not need to perform continuous backups.
What should I do if the database of my primary IBM Security Guardium Key Lifecycle Manager master server is corrupted?
A Multi-Master configuration has multiple standby master servers. These standby master servers have the same data as the primary master server. If the primary database goes down for any reason, you can use the databases of the standby master servers because they have the same data. IBM Security Guardium Key Lifecycle Manager takes backup and restores the data to all non-primary master servers once every day. All databases being unavailable at the same time is almost impossible.
Do all master servers in an IBM Security Guardium Key Lifecycle Manager Multi-Master cluster connect to the same HSM?
Yes, all the master servers in a Multi-Master cluster connect to the same HSM.
The data synchronization service automatically copies data from the primary master server to the other master servers at regular intervals. Why should I use the Backup and Restore feature of IBM Security Guardium Key Lifecycle Manager?
You must use the Backup and Restore feature and manually back up the data at regular intervals as a precautionary measure to avoid possible data loss.
Does IBM Security Guardium Key Lifecycle Manager have a single UI to access all the master servers in a cluster?
You can view the list of all the configured master servers from the GUI (go to Administration > Multi-Master). However, you cannot access the master servers from the GUI.
I added a non-HADR master server to the Multi-Master cluster. Why am I still seeing data from the local database instead of data from the primary database?
The data source of the newly added non-HADR master server might still be pointing to the local database. After you add a master server to the cluster, ensure that the data source in its WebSphere® Application Server points to the primary database.
To manually update the server details in the data source:
- Log in to WebSphere Integrated Solutions Console (https://localhost:9083/ibm/console/logon.jsp).
- Click Resources > JDBC > Data sources > SKLM DataSource.
- In the SKLM DataSource page, verify the value in the Server name field under Common and required data source properties section.
- If the host name of the local server is shown, update the value by specifying the host name of the primary server.
If the value in the Server name field is already updated with the host name of the primary server, restart WebSphere Application Server and close the page. Else, run the following steps. - In the Additional Properties section of the SKLM DataSource page, click the WebSphere Application Server data source properties link.
- In the Advanced DB2® features section, verify the values in the Alternate server names field.
- Specify host name of the standby servers as a comma-separated list in the Alternate server names field.
- Specify port number of the standby servers as a comma-separated list in the Alternate port numbers field.
- Save the changes.
- Click Resources > JDBC > Data sources > SKLM scheduler XA Datasource.
- Repeat the steps from 3 - 8.
- Restart WebSphere Application Server.
How do I check that synchronization is running between IBM Security Guardium Key Lifecycle Manager primary and standby master servers?
You can check whether synchronization is running between the IBM Security Guardium Key Lifecycle Manager primary and standby master servers by verifying the time difference between PRIMARY_LOG_TIME and STANDBY_LOG_TIME.
Run the following command from the Db2 Command Window:
#db2pd -d <SKLM_DBName> –hadr
#db2pd -d sklmdb31 –hadr
The following output is displayed:
Database Member 0 -- Database SKLMDB31 -- Active -- Up 1 days 21:27:01 -- Date 2018-11-09-20.10.56.059000
HADR_ROLE = PRIMARY
REPLAY_TYPE = PHYSICAL
HADR_SYNCMODE = SYNC
STANDBY_ID = 1
LOG_STREAM_ID = 0
HADR_STATE = PEER
HADR_FLAGS = TCP_PROTOCOL
PRIMARY_MEMBER_HOST = WIN-DBA2ALEJOC8
PRIMARY_INSTANCE = SKLMDB31
PRIMARY_MEMBER = 0
STANDBY_MEMBER_HOST = WIN-VB479C09AG3
STANDBY_INSTANCE = SKLMDB31
STANDBY_MEMBER = 0
HADR_CONNECT_STATUS = CONNECTED
HADR_CONNECT_STATUS_TIME = 11/08/2017 23:25:28.730219 (1510212328)
HEARTBEAT_INTERVAL(seconds) = 30
HEARTBEAT_MISSED = 0
HEARTBEAT_EXPECTED = 2490
HADR_TIMEOUT(seconds) = 120
TIME_SINCE_LAST_RECV(seconds) = 3
PEER_WAIT_LIMIT(seconds) = 0
LOG_HADR_WAIT_CUR(seconds) = 0.000
LOG_HADR_WAIT_RECENT_AVG(seconds) = 0.001541
LOG_HADR_WAIT_ACCUMULATED(seconds) = 45.835
LOG_HADR_WAIT_COUNT = 19538
SOCK_SEND_BUF_REQUESTED,ACTUAL(bytes) = 0, 65536
SOCK_RECV_BUF_REQUESTED,ACTUAL(bytes) = 0, 65536
PRIMARY_LOG_FILE,PAGE,POS = S0000003.LOG, 4891, 191226150
STANDBY_LOG_FILE,PAGE,POS = S0000003.LOG, 4886, 191205494
HADR_LOG_GAP(bytes) = 0
STANDBY_REPLAY_LOG_FILE,PAGE,POS = S0000003.LOG, 4886, 191205494
STANDBY_RECV_REPLAY_GAP(bytes) = 0
PRIMARY_LOG_TIME = 11/09/2017 20:10:52.000000 (1510287052)
STANDBY_LOG_TIME = 11/09/2017 20:10:20.000000 (1510287020)
STANDBY_REPLAY_LOG_TIME = 11/09/2017 20:10:20.000000 (1510287020)
STANDBY_RECV_BUF_SIZE(pages) = 4298
STANDBY_RECV_BUF_PERCENT = 0
STANDBY_SPOOL_LIMIT(pages) = 380000
STANDBY_SPOOL_PERCENT = 0
STANDBY_ERROR_TIME = NULL
PEER_WINDOW(seconds) = 0
READS_ON_STANDBY_ENABLED = N
In the output, PRIMARY_LOG_TIME shows the time at which the Db2 transactional logs are updated for primary master server.
STANDBY_LOG_TIME shows the time at which the Db2 Transactional logs are updated for standby master server.
You can ignore the time difference in milliseconds.
What do the icons that display the status of ports in a Multi-Master setup mean?
The following table provides a description of the icons that show the port status:
| Icon | Description |
|---|---|
 Port is reachable |
Port is reachable and serving requests as per the specifications. |
 Port is not reachable |
Port is not reachable. Service on a specific port might be down. Refresh status by using the Refresh option on the UI page. |
What do the icons that display the status of Db2 HADR in a Multi-Master setup mean?
The following table provides a description of the icons that show the Db2 HADR status:
| Icon | Description |
|---|---|
 Db2 HADR is running |
Db2 HADR is in running state. All the HADR masters are connected with each other. |
 At least one of the master servers in the cluster is unreachable |
Db2 HADR is in running state, but at least one of the master servers is unreachable. |
 Db2 HADR is down |
Db2 HADR is down and non-functional. |
Kerberos
Which versions of IBM Security Guardium Key Lifecycle Manager support Kerberos?
Kerberos configuration is supported on IBM Security Guardium Key Lifecycle Manager V4.1.0.1 and later.
Support for Kerberos is deprecated in IBM Security Guardium Key Lifecycle Manager, version 4.2.
I am not able to configure Kerberos on my IBM Security Guardium Key Lifecycle Manager server. Where can I find the instructions?
What would be the impact when the passwords of the domain accounts (like, db2serv and sklmdb41) changes periodically?
Till a valid ticket (lifetime is configurable) exists in the system, IBM Security Guardium Key Lifecycle Manager operations will not stop even if the password is changed on the Active Directory side.
If the passwords of the domain accounts are updated, the keytab file needs to be updated. There are two Active Directory accounts, db2serv and sklmdb41.
For the service principal - db2serv, we use a keytab file. This keytab file needs to be updated on the Guardium Key Lifecycle Manager server.
For the client principal, example: sklmdb41, the password is stored in the WebSphere configuration. This behavior can be modified if the domain account password changes frequently, using the following steps:
Step1: For the client principal, create a new keytab file, using the following command:
ktpass -out -mapuser -princ HTTP/@ -pass -ptype KRB5_NT_PRINCIPAL -target -kvno 0
For example:
ktpass -out linux_client.keytab -mapuser sklmdb41 -princ sklmdb41@SKLM.COM -pass password -ptype KRB5_NT_PRINCIPAL /Target SKLM.COM /kvno 0
Step2: Add the following parameters in the <SKLM_HOME>/kerberos/jaas.conf file:
useKeytab= "path_of_client_keytab_file"
credsType= "both"
principal= "client_pricipal "
For example:
JaasClient{
com.ibm.security.auth.module.Krb5LoginModule required
debug=true
useKeytab="/opt/IBM/WebSphere/Liberty/products/sklm/data/linux_client.keytab"
credsType="both"
principal="sklmdb41@EXAMPLE.COM"
useDefaultCcache=false;
};
Post this, if the password for the sklmdb41 Active Directory user changes, only the keytab file has to be updated on IBM Security Guardium Key Lifecycle Manager server.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
19 June 2023
UID
ibm10881734