Deploying Key Lifecycle Management Services

9min
You can deploy multiple services to support individual use cases, including the following Key Lifecycle Management Services:
Initial KTK for Key Exchange: Using existing plaintext components, a new KTK is created under the  master key, which you can then use to import and export working keys.
Generate Key: This service generates keys using pre-defined Key Types and allows you to export them under a KTK.
Import Key: This service enables you to import a new key (either Global or New key type) under an existing KTK.
The following deployments form an initial KTK, TEST KTK, from three plaintext components, generate a PEK, TEST PEK 1, with the option to export under the KTK, and then import a PEK, TEST PEK 2, under the KTK.
Initial KTK (KEK/ZMK) for key exchange
Perform the following steps to complete this process:
Step 1 | Deploy the Key Lifecycle Management Service
1
Log in to the  web dashboard under dual control with your Administrator users.
2
On the Service Management page, search for Key Lifecycle Management, or select the Key Management service category and then select the Key Lifecycle Management service.
3
Select [ Deploy ].
4
Configure Service Setup as follows:
Service Name: Select 3DES KTK XOR 3 Components
Service Category: Select Key Management
5
Configure Access Control as follows:
Add the following roles:
Key Manager
Key Holder
6
Configure Key Approval Setup as follows:
Add the following roles:
Key Holder
7
Configure Key Configuration  as follows:
Algorithm Type: Select Symmetric
Source: Select XOR components import
Component Source: Select Trusted key custodians
Components: Select 3
Key Types:
Select [ Add Key Type ]
Select [ Autofill From Existing ]
Select the 3DES KTK checkbox.
Select [ Save ]
Permissions for Created Key: Select All users of service
8
Configure Print Key as follows:
Destination: Select Do not print
9
Configure Webhook  as follows:
Destination: Select No webhook
10
Configure Lifecycle Management as follows:
State: Active
Select Manual or Automatic Transition (specify the transition period if you selected automatic)
Select [ Next ]
State: Archived
Select Enable or Disable
Select Manual or Automatic Transition (specify the transition period if you selected automatic)
Select [ Next ]
State: Deactivated
Select Enable or Disable.
Select Manual or Automatic Transition (specify the transition period if you selected automatic).
Select [ Next ]
State: Destroyed
This state is always enabled for the service.
Manual Transition is required for this state.
11
Select [ Deploy ].
Step 2 | Enter and Combine KTK Components
1
Log out of  if you are still logged in with the Administrator users.
2
Log in to the  web dashboard with the KeyHolderA user.
3
On the Service Management page, go to the Key Wizard tab and configure New Key  as follows:
Service: Select 3DES KTK XOR 3 Components.
Key Type: Select 3DES KTK.
Key Name: Enter Test KTK.
4
On the Service Management page, go to the Deployed Services tab and select the Key Lifecycle Management service you deployed (such as 3DES KTK XOR 3 Components).
5
Go to Key Orders/Approvals.
6
Select the checkmark under Actions to approve the Test KTK key order.
Perform the following steps:
Enter the first plaintext component
9EE6 5104 E82A 9ED4
88B8 7516 014A 1426
9F35 BCEA 104F 0D29
Component KCV 5FA3
Select [ Load Component ] and note the KCV (Key Check Value) in the pop-up dialog.
Note Hover the cursor over the dialog window to avoid closing.
7
Log out of .
8
Log in to the  web dashboard with the KeyHolderB user.
9
From the Service Management page, go to the Deployed Services tab and select the Key Lifecycle Management service you deployed (such as 3DES KTK XOR 3 Components).
10
Go to Key Orders/Approvals.
11
Select the checkmark under Actions to approve the Test KTK key order.
Enter the second plaintext component:
A8A7 26D6 5152 6438
0E07 8C13 1F25 759B
9E58 E551 2957 5116
Component KCV 2AF8
Select [ Load Component ] and note the KCV in the pop-up dialog.
Note Hover the cursor over the dialog window to avoid closing.
12
Log out of .
13
Log in to the  web dashboard with the KeyHolderC user.
14
On the Service Management page, go to the Deployed Services tab and select the Key Lifecycle Management service you deployed (such as 3DES KTK XOR 3 Components).
15
Go to Key Orders/Approvals.
16
Select the checkmark under Actions to approve the Test KTK key order.
Enter the third (final) plaintext component:
DC76 E50B BCDC C767
EF29 3EF7 7A83 4946
B35E D56E 15E0 9415
Component KCV E18B
Select [ Load Component ] and note the Final Checksum CAF9.
Note Hover the cursor over the dialog window to avoid closing.
Generate Key with the option to Export under KTK
Perform the following steps to complete this process
Step 1 | Deploy Key Lifecycle Management Service
1
Log in to the  web dashboard under dual control with the KeyManager1 and KeyManager2 users.
2
From the Service Management page, search for Key Lifecycle Management or select the Key Management service category and then select the Key Lifecycle Management service.
3
Select [ Deploy ].
4
Service Setup
Service Name: Select Generate Key.
Service Category: Select Key Management.
5
Access Control
Add the following roles:
Key Manager
6
Key Approval Setup
Do not add any roles.
7
Key Configuration
Algorithm Type: Select Symmetric.
Source: Select Randomly generated key.
Approvals: Select 0.
Key Types:
Add the following Key Types: 3DES CVK, 3DES MAK, and 3DES PEK.
Permissions for Created Key: Select All users of service.
8
Print Key
Destination: Select Do not print.
9
Webhook
Destination: Select No webhook.
10
Lifecycle Management
State: Active
Select Manual or Automatic Transition (specify the transition period if you selected automatic).
Select [ Next ].
State: Archived
Choose to Enable or Disable.
Select Manual or Automatic Transition (specify the transition period if you selected automatic).
Select [ Next ]
State: Deactivated
Choose to Enable or Disable.
Select Manual or Automatic Transition (specify the transition period if you selected automatic).
Select [ Next ].
State: Destroyed
This state is always enabled for the service.
Manual Transition is required for this state.
11
Select [ Deploy ].
Step 2 | Generate Key
1
Go to the main Service Management page of the .
2
Go to the Key Wizard tab.
New Key
Service: Select Generate Key.
Key Type: Select 3DES PEK.
Key Name: Enter TEST PEK 1.
3
Select [ Finish Setup ].
4
Select [ Manage Keys ].
5
In the Actions field for the key you created, select the Information icon and note the UUID of the key in the Export section.
Step 3 | Export Key
1
Go to the main Service Management page of the .
2
Go to the Deployed Services tab.
3
Select the Generate Key service.
4
Select the Key Orders action.
5
In the Actions field for the key you created, select the Information icon.
6
In the Export section of the Key Information dialog, there is a Keyblock field. Select either[ Copy ] or [ Download ] next to it.
7
In the Select a KTK field, type 3DES KTK - Test KEK and select the key.
8
Select TR-31, AKB, or ECB no padding for ANSI X9.17 cryptograms.

TR-31
B0096P0TN00E00008378AD73BB7B6408CCA6CA7C14D8BDDDAFE9E75957746E9FB23F31798B69C1F5C0A838DCB0B1408C

AKB
1PUNE000,B1EAA2E7C35D27AD0ADA8F22441A01CF09473EC8246E50C3,288B4AB3AD55D308

Cryptogram
9AE93957C36C22D7BA1A9657C85C4026
Import Key under KTK
Perform the following steps to complete this process:
Step 1 | Deploy Key Lifecycle Management Service
1
Log in to the  web dashboard under dual control with the KeyManager1 and KeyManager2 users.
2
From the Service Management page, search for Key Lifecycle Management or select the Key Management service category and then select the Key Lifecycle Management service.
3
Select [ Deploy ].
4
Service Setup
Service Name: Select Import Key.
Service Category: Select Key Management.
5
Access Control
Add the following roles:
Key Manager
6
Key Approval Setup
Do not add any roles
7
Key Configuration
Algorithm Type: Select Symmetric.
Source: Select KTK import.
Select KTKs: Select 3DES KTK - Test KEK.
Approvals: Select 0.
Key Types:
Select [ Add Key Type ]
Select [ Autofill From Existing ]
Select the checkmark next to 3DES CVK
Select [ Save ]
Select [ Add Key Type ]
Select [ Autofill From Existing ]
Select the checkmark next to 3DES MAK
Select [ Save ]
Select [ Add Key Type ]
Select [ Autofill From Existing ]
Select the checkmark next to 3DES PEK
Select [ Save ]
Permissions for Created Key: Select All users of service.
8
Print Key
Destination: Select Do not print.
9
Webhook
Destination: Select No webhook.
10
Lifecycle Management
State: Active
Select either Manual or Automatic Transition (specify the transition period if you selected Automatic)
Select [ Next ]
State: Archived
Choose to Enable or Disable
Select Manual or Automatic Transition (specify the transition period if you selected automatic).
Select [ Next ].
State: Deactivated
Choose to Enable or Disable.
Select Manual or Automatic Transition (specify the transition period if you selected automatic).
Select [ Next ].
State: Destroyed
This state is always enabled for the service.
Manual Transition is required for this state.
11
Select [ Deploy ].
Step 2 | Import Key
1
Go to the main Service Management page of the .
2
Go to the Key Wizard tab.
3
New Key
Service: Select Generate Key.
Key Type: Select 3DES PEK.
Key Name: Enter TEST PEK 2.
4
Transfer Key Selection
Transfer Key: Select Test KEK.
Key Block: Select B0096P0TN00E00008378AD73BB7B6408CCA6CA7C14D8BDDDAFE9E75957746E9FB23F31798B69C1F5C0A838DCB0B1408C.
Format: TR-31
5
Select [ Finish Setup ].
6
Select [ Manage Keys ].
7
In the Actions field for the key you created, select the Information icon and note the UUID of the key in the Export section.
﻿
Updated 29 Nov 2024
Did this page help you?
Identity and access management (IAM)
Manage keys by using the Web Services API