Security Global Forum

 View Only

Auto Setup IBM Security Key Lifecycle Manager on AIX

By BUKAI Biswas posted Tue December 19, 2023 07:20 AM

  

Auto Setup IBM Security Key Lifecycle Manager on AIX

Data Protection is must for any Operating System. AIX provides encryption for the Logical Volume, Physical Volume, Paging Device and Root Volume Group. IBM Security Key Lifecycle Manager provides the software and services to deploy Key Management Solutions. This product helps companies automate the process of provisioning encrypted keys, either in a closed enterprise environment or across a virtual or extended enterprise.

Once AIX build installation is done, establish SKLM Server-Client model which in turn helping us to add a Key Server authentication method in an encrypted LV (Logical Volume), PV (Physical Volume) and Paging LVs. SKLM is a Server-Client setup. It helps in authenticating various devices at client and managing keys at server.

As part of finding out the smooth way to establish a SKLM Server-Client model and helps the users to add Key Server authentication method and end to end automation there are few tasks to be carried out with certificate key generation and establishing communication with client and server.

Different variations on SKLM Key Server setup configurations as follows:

  1. Download SKLM (Security Key Life Cycle Manager) file sets and configure it.
  2. Configure the SKLM (Security Key Life Cycle Manager) with No Password.
  3. Configure the SKLM (Security Key Life Cycle Manager) Using Password.
  4. Adding and listing the key server entry in ODM database.
  5. Adding Key Server authentication method to Logical Volume (LV).
  6. Removal Of Key Server Entry from ODM database.
  7. Removal Of Client Certificate and Device Group.
  8. Pictorial Diagram of Auto Setup IBM Security Key Life Cycle Manager with DevOps.

Download SKLM (Security Key Life Cycle Manager) file sets and configure it.

  1. Download the SKLM file sets for installation form below link.

    https://w3.ibm.com/w3publisher/sklm

  2. Before copying the file to the designated LPAR, make sure there is enough space. The tar.gz file is a little over 4gb. Once, it is extracted, the extracted file set is also about 4gb. Another 10gb dedicated for this in the root file system should be enough.
  3. Furthermore, edit the file /etc/security/limits and find the lines fsize, data, and rss and change their value to -1. This signifies for unlimited, AIX by default does not allow you to write files (copying unto AIX) that is more than the specified default limits. The tar.gz is a large file and is over this limit, hence changing these values. Change this back ONLY after the installation is complete.
  4. Create downloads directory on the root directory. Then copy the tar.gz file into this directory and unzip (gzip -d <*.gz file>) and extract (tar -xvf <*.tar file>).

  5. After extracting the file, edit the xml file (/downloads/disk1/SKLM_Silent_AIX_Resp.xml) and edit the <repository locations=…> values to:

  6. Next, setup the DB2_ADMIN, SKLM_ADMIN, and WAS_ADMIN passwords in the xml file. To perform this, go to path /downloads/disk1/im/tools and run ./imcl encryptString <password> where <password> is the password we want to use in “plain text”, this tool will convert this to a long “encrypted string” and print it on the console. Copy this “encrypted string” and replace the values in the SKLM_Silent_AIX_Resp.xml.       Note: - To create an encrypted password, I usually use like: -  ./imcl encryptString WAS@admin123

  7. Change the IBM WebSphere Application Server installation directory to /opt/IBM/WebSphere/AppServer in the xml response file SKLM_Silent_AIX_Resp.xml. 
  8. Go back to /downloads/disk1 directory and run the silent installation script. 
  9. After the installation is complete, return the limits to their default values in /etc/security/limits.

Install SKLM file sets in an AIX LPAR which will be the treated as Key Server and install the AIX version with hdcrypt feature enabled in another LPAR where we want to test which LPAR will be the treated as Test Server.

Configure the SKLM (Security Key Life Cycle Manager) with No Password. 

To configure the SKLM Key Server using password less, we must make the password field empty while exporting the SKLM Client Certificate and follow the below steps.

  1. SKLM Client Certificate needs to be created in the test server.
  2. SKLM Client Certificate must be copied to the SKLM Server Machine.
  3. Login to Web Server application from SKLM Server Machine and create the SKLM Server Certificate using SSLSERVER as Server-Side Certificate that is used in secure communication by using Secure Socket Layer protocol.
  4. The SKLM Server Certificate must be exported in a specific path in the SKLM Server Machine using UUID of the SKLM Server Certificate.    
  5. The configuration entry for the SKLM Server Certificate must be updated.
  6. Once the SKLM Server machine is connected to the WebSphere Application Server using SOAP connector, Device Group must be created.
  7. Import the SKLM Client Certificate which has been copied to SKLM Server Machine. Importing of Client Certificate can be done in two ways using Device Group and SSLCLIENT.
  8. UUID of Client Certificate associated with Device Group.
  9. UUID of Client Certificate associated with SSLCLIENT
  10. Update the Client Certificate using the Certificate’s UUID.
  11. Finally, SKLM Server Certificate must be copied to SKLM Client Machine in /tmp directory and verify the SKLM Server and Client model.

Configure the SKLM (Security Key Life Cycle Manager) Using Password.

To configure the SKLM Keyserver using password, we must provide the password while exporting the SKLM Client Certificate and follow the steps given above (1 to 11) in label Configure the SKLM (Security Key Life Cycle Manager) with No Password.

Adding and listing the key server entry in ODM database.

An encryption Key Server is used to securely store encryption key information. The access to the encryption key server is secured by certificate exchanges between the client and the server. When a logical volume (LV) uses the Key Server key-protection method for encryption, the information about the encryption Key Server is stored in the ODM database. We can use the keysvrmgr command to manage the ODM database entries that are associated with the encryption key server.

Below are the commands to be executed in SKLM Client Machine to add and list the key server entry in ODM database.

  1. Adding the Key Server entry into the ODM database without using Device Group.
  2. Adding the Key Server entry into the ODM database using the Device Group.
  3. Adding the Key Server entry into the ODM database using the password of Client Certificate and without using Device Group.
  4. Adding the Key Server entry into the ODM database using the password of Client Certificate and Device Group.
  5. Adding the Key Server entry into the ODM database using the password of Client Certificate which can be stored in platform keystore (PKS) and without using Device Group.
  6. Adding the Key Server entry into the ODM database using the password of Client Certificate which can be stored in Platform Keystore (PKS) and Device Group.
  7. To list the Key Server entry which has been added to the ODM database. 
  8. To list the Key Server entry stored in platform keystore (PKS).

Adding Key Server authentication method to Logical Volume (LV).

Below are the commands to be executed in SKLM Client Machine to add the Key Server authentication method in Logical Volume (LV).

  1. Using the Key Server entry which is not associated with Device Group.
  2. Using the Key Server entry which is associated with Device Group.
  3. Using the Key Server entry which is associated with password of the Client Certificate.
  4. Using the Key Server entry which is associated with password of the Client Certificate and the Key Server entry stored in Platform Keystore (PKS).

Removal Of Key Server Entry from ODM database.

Below is the command to be executed in SKLM Client machine to remove the Key Server entry from the ODM database.

  1. Command to remove Key Server Entry from ODM database.

Removal Of Client Certificate and Device Group.

Below is the command to be executed in SKLM Server Machine to remove the Client Certificate and Device Group.

  1. Command to delete the Client Certificate
  2. Command to delete the Device Group.

Pictorial Diagram of Auto Setup IBM Security Key Life Cycle Manager with DevOps

The below flow chart diagram talks about how the SKLM configuration can be established between SKLM Server and Client Machine.

The below is the screen-shot of how Build with Parameter looks like: -

The below is the screen-shot of Jenkins log for validation part which looks like: -

Below is the link of Jenkins Job: -

https://sys-aix-jenkins.swg-devops.com/job/AIX-FVT-Test/view/FVSECURITY/job/SKLM_SERVER_CLIENT_CONNECTION_ESTABLISHMENT/

Note:- If the images are not clear, please right click on the image and open it in a new tab.

For above job link, all team members may not have the access so to get the access please reach out to vintelka@in.ibm.com or dipabisw@in.ibm.com

0 comments
67 views

Permalink