Deploying Key Lifecycle Management Services

11min

you can deploy multiple services to support individual use cases, including the following key lifecycle management services initial ktk for key exchange using existing plaintext components, a new ktk is created under the {{ch}} master key, which you can then use to import and export working keys generate key this service generates keys by using pre defined key types and enables you to export them under a ktk import key this service enables you to import a new key (either global or new key type) under an existing ktk the following deployments form an initial ktk, test ktk, from three plaintext components, generate a pek, test pek 1, with the option to export under the ktk, and then import a pek, test pek 2, under the ktk initial ktk (kek/zmk) for key exchange perform the following tasks to complete this process deploy the key lifecycle management service enter and combine ktk components deploy the key lifecycle management service perform the following steps to deploy the key lifecycle management service log in to the {{ch}} web dashboard under dual control with your administrator users on the service management page, search for key lifecycle management or select the key management service category and then select the key lifecycle management service select \[ deploy ] configure service setup as follows service name select 3des ktk xor 3 components service category select key management configure access control as follows add the following roles key manager key holder configure key approval setup as follows add the following roles key holder configure key configuration as follows algorithm type select symmetric source select xor components import component source select trusted key custodians components select 3 key types select \[ add key type ] select \[ autofill from existing ] select the 3des ktk checkbox select \[ save ] permissions for created key select all users of service configure print key as follows destination select do not print configure webhook as follows destination select no webhook configure lifecycle management as follows state active select manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state archived select enable or disable select manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state deactivated select enable or disable select manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state destroyed this state is always enabled for the service manual transition is required for this state select \[ deploy ] enter and combine ktk components perform the following steps to enter and combine ktk components log out of {{ch}} if you are still logged in with the administrator users log in to the {{ch}} web dashboard with the keyholdera user on the service management page, go to the key wizard tab and configure new key as follows service select 3des ktk xor 3 components key type select 3des ktk key name enter test ktk on the service management page, go to the deployed services tab and select the key lifecycle management service you deployed (such as 3des ktk xor 3 components ) go to key orders/approvals select the checkmark under actions to approve the test ktk key order perform the following steps enter the first plaintext component 9ee6 5104 e82a 9ed4 88b8 7516 014a 1426 9f35 bcea 104f 0d29 component kcv 5fa3 select \[ load component ] and note the kcv (key check value) in the pop up dialog note hover the cursor over the dialog window to avoid closing log out of {{ch}} log in to the {{ch}} web dashboard with the keyholderb user from the service management page, go to the deployed services tab and select the key lifecycle management service you deployed (such as 3des ktk xor 3 components ) go to key orders/approvals select the checkmark under actions to approve the test ktk key order enter the second plaintext component a8a7 26d6 5152 6438 0e07 8c13 1f25 759b 9e58 e551 2957 5116 component kcv 2af8 select \[ load component ] and note the kcv in the pop up dialog note hover the cursor over the dialog window to avoid closing log out of {{ch}} log in to the {{ch}} web dashboard with the keyholderc user on the service management page, go to the deployed services tab and select the key lifecycle management service you deployed (such as 3des ktk xor 3 components ) go to key orders/approvals select the checkmark under actions to approve the test ktk key order enter the third (final) plaintext component dc76 e50b bcdc c767 ef29 3ef7 7a83 4946 b35e d56e 15e0 9415 component kcv e18b select \[ load component ] and note the final checksum caf9 note hover the cursor over the dialog window to avoid closing generate key with the option to export under ktk perform the following tasks to complete this process deploy key lifecycle management service generate key export key deploy key lifecycle management service perform the following steps to deploy the key lifecycle management service log in to the {{ch}} web dashboard under dual control with the keymanager1 and keymanager2 users from the service management page, search for key lifecycle management or select the key management service category and then select the key lifecycle management service select \[ deploy ] configure the service as follows service name select generate key service category select key management configure access control as follows add the following roles key manager configure key approval setup as follows do not add any roles configure key configuration as follows algorithm type select symmetric source select randomly generated key approvals select 0 key types add the following key types 3des cvk , 3des mak , and 3des pek permissions for created key select all users of service configure print key as follows destination select do not print configure webhook as follows destination select no webhook configure lifecycle management as follows state active select manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state archived choose to enable or disable select manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state deactivated choose to enable or disable select manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state destroyed this state is always enabled for the service manual transition is required for this state select \[ deploy ] generate key perform the following steps to generate a key go to the main service management page of the {{ch}} go to the key wizard tab configure new key as follows service select generate key key type select 3des pek key name enter test pek 1 select \[ finish setup ] select \[ manage keys ] in the actions field for the key you created, select the information icon and note the uuid of the key in the export section export key perform the following steps to export the key go to the main service management page of the {{ch}} go to the deployed services tab select the generate key service select the key orders action in the actions field for the key you created, select the information icon in the export section of the key information dialog keyblock field, select either \[ copy ] or \[ download ] in the select a ktk field, type 3des ktk test kek and select the key select tr 31 , akb , or ecb no padding for ansi x9 17 cryptograms tr 31 b0096p0tn00e00008378ad73bb7b6408cca6ca7c14d8bdddafe9e75957746e9fb23f31798b69c1f5c0a838dcb0b1408c akb 1pune000,b1eaa2e7c35d27ad0ada8f22441a01cf09473ec8246e50c3,288b4ab3ad55d308 cryptogram 9ae93957c36c22d7ba1a9657c85c4026 import key under ktk perform the following tasks to complete this process deploy key lifecycle management service import key deploy key lifecycle management service perform the following steps to deploy the key lifecycle management service log in to the {{ch}} web dashboard under dual control with the keymanager1 and keymanager2 users from the service management page, search for key lifecycle management or select the key management service category and then select the key lifecycle management service select \[ deploy ] configure service setup as follows service name select import key service category select key management configure access control as follows add the following roles key manager configure key approval setup as follows do not add any roles configure key configuration as follows algorithm type select symmetric source select ktk impor t select ktks select 3des ktk test kek approvals select 0 key types select \[ add key type ] select \[ autofill from existing ] select the checkmark next to 3des cvk select \[ save ] select \[ add key type ] select \[ autofill from existing ] select the checkmark next to 3des mak select \[ save ] select \[ add key type ] select \[ autofill from existing ] select the checkmark next to 3des pek select \[ save ] permissions for created key select all users of service configure print key as follows destination select do not print configure webhook as follows destination select no webhook configure lifecycle management as follows state active select either manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state archived choose to enable or disable select manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state deactivated choose to enable or disable select manual or automatic transition (specify the transition period if you selected automatic) select \[ next ] state destroyed this state is always enabled for the service manual transition is required for this state select \[ deploy ] import key perform the following steps to import the key go to the main service management page of the {{ch}} go to the key wizard tab configure new key as follows service select generate key key type select 3des pek key name enter test pek 2 configure transfer key selection as follows transfer key select test kek key block select b0096p0tn00e00008378ad73bb7b6408cca6ca7c14d8bdddafe9e75957746e9fb23f31798b69c1f5c0a838dcb0b1408c format tr 31 select \[ finish setup ] select \[ manage keys ] in the actions field for the key you created, select the information icon and note the uuid of the key in the export section

Identity and access management (IAM)

Manage keys by using the Web Services API