Create a role and identity on the KMES Series 3

3min

this section shows how to create a role and identity on the {{k3}} with the permissions ibm db2 requires to generate the master encryption key when ibm db2 initiates a connection to the {{k}} through kmip, authentication occurs through the tls certificate by matching a {{k}} identity name to the common name configured for the ibm db2 client certificate, ibm db2 can authenticate and assume the permissions granted to that identity add an idp perform the following steps to add a pki identity provider (idp) log in to the {{k3}} application interface with the default admin identities go to the identity management > identity providers menu right click anywhere in the window and select add > provider > pki in the info tab of the identity provider editor window, specify a name for the idp and unselect enforce dual factor on the pki options tab, select \[ select ] in the certificate selector window, expand the certificate tree you created for this integration, select the ca certificate that signed the ibm db2 client certificate and kmip connection pair certificates, and select \[ ok ] select \[ ok ] to finish creating the pki idp right click the idp you just created and select add > mechanism > tls on the info tab, specify a name for the authentication mechanism on the pki tab, leave all fields set to the default values select \[ ok ] to save create a role perform the following steps to create a role go to identity management > roles , and select \[ add ] in the info tab of the role editor window, configure the following settings setting required configuration type application name ibm db2 application 1 on the permissions tab, enable the following permissions for the role permission subpermission cryptographic operations encrypt, decrypt keys add, delete, export, modify secure key functions clear export on the advanced tab, set allowed ports to kmip only select \[ ok ] to finish creating the role create an identity perform the following steps to create an identity go to the identity management > identities menu, right click anywhere in the window, and select add > client application on the info tab of the identity editor window, select application for the storage location and specify ibmdb2 as the identity name the identity name must match the common name of the client certificate on the assigned roles tab, select the role you created for ibm db2 on the authentication tab, remove the default api key mechanism and select \[ add ] to add a new credential on the configure credential window, select tls certificate in the type drop down menu and select the provider and mechanism you created select \[ ok ] to finish configuring the credential select \[ ok ] to finish creating the identity

Configure IBM Db2 initially and request a client certificate

Enable and test encryption in IBM Db2