1. Installation and Administration Guide
  2. Keys, Key Policies, and Key Groups
  3. Transfer Keys Between Clusters
  4. Configure Key Transfer Partners

Configure Key Transfer Partners

Each cluster must configure the other cluster as a partner before transferring keys.

Both partners must complete the following steps to configure the other cluster as a partner:

Create and Send a Key Transfer Public Key

OKM signs key transfer files with the key transfer public key. Provide partners with the key transfer public key, so they can import key transfer files.

Available to: Security Officer
  1. In the left navigation tree, expand System Management, and then select Key Transfer Public Key List.
  2. Click Create...
  3. Provide the new key to all existing transfer partners:
    1. Select a Public Key in the list, and then click Details...
    2. Send this information to other cluster's administrator. Cut and paste the Public Key ID and Public Key into an e-mail or other agreed-upon form of communication. The exact communication method should be sufficiently secure.

Create the Transfer Partner

The administrator of the receiving cluster must enter the public key information provided by the partner cluster.

These procedures use the key information sent in Create and Send a Key Transfer Public Key.
Available to: Security Officer (requires a quorum)
  1. In the partner cluster, in the left navigation tree, expand Secure Information Management, an then select Transfer Partner List. Click Create...
  2. Complete the following on the General tab:
    • Transfer Partner ID — Identifies the transfer partner (1 to 64 characters).
    • Description (optional) — Describes the transfer partner (1 to 64 characters).
    • Contact Information (optional) — Contact information about the transfer partner.
    • Export Format —The format you should select depends on the software version and FIPS Mode Only settings. To view the FIPS setting, see Review and Modify the Cluster Security Parameters).

      Table 11-1 Determining Export Format

      Software Version— Importing KMA FIPS Mode Only— Exporting Cluster FIPS Mode Only— Importing Cluster Export Format

      2.0.2 or lower

      Off

      N/A

      v2.0 or Default

      2.0.2 or lower

      On

      N/A

      v2.0

      2.1 or higher

      Off

      Off

      v2.1 (FIPS)

      2.1 or higher

      On

      Off

      v2.1 (FIPS)

      2.1 or higher

      Off

      On

      v2.1 (FIPS)

      2.1 or higher

      On

      On

      v2.1 (FIPS) or Default
      • v2.0 —This transfer partner does not wrap keys when it exports them.
      • v2.1 (FIPS) —This transfer partner wraps keys when it exports them.

      • Default — Enables sharing keys between a cluster running KMS 2.1+ and another cluster in which all KMAs run KMS 2.0.x. This value effectively uses either "v2.0" or "v2.1 (FIPS)" behavior depending on the software version of the KMA importing the keys and the settings of the "FIPS Mode Only" security parameter on the exporting and importing OKM clusters.

        "Default" allows you to alter the format of the transfer partner's transfer files simply by changing the FIPS Mode Only security parameter instead of editing the transfer partner's Export Format setting directly, which requires a quorum.

    • Flags - Enabled — When selected, this transfer partner can share keys.
    • Flags - Allow Export To — When selected, you can export keys to the transfer partner.
    • Flags - Allow Import From — When selected, you can import keys from this transfer partner.
  3. Complete the following on the Public Keys tab:
    • New Public Key ID — Enter the Public Key ID provided to you by the transfer partner.
    • New Public Key — Enter the Public Key provided to you by the transfer partner.
    • New Public Key Fingerprint — This read-only field shows the fingerprint, or hash value, of the new Public Key. Verify this fingerprint with the Partner to ensure the Public Key has not been tampered with, accidentally or deliberately, during transmission.
  4. As you enter the Public Key, the system computes the fingerprint. Communicate with the partner cluster administrator using a different method than was used for the transfer of the key itself.

    Both administrators should look at their OKM and verify the fingerprint matches. A mismatch indicates the key has been damaged or modified during the transfer.

  5. If the fingerprint is correct, click Save.
  6. Enter the Key Split Quorum Authentication. See Quorum Authentication for more information.

Assign Key Groups to a Transfer Partner

The administrator must assign key groups for the transfer partner.

This process accomplishes the same result as Assign a Transfer Partner to a Key Group.
Available to: Compliance Officer, Operator (can view-only)
  1. In the left navigation area, expand Transfer Partners, and then select Key Group Assignment to Transfer Partners.
  2. Select a Transfer Partner in the "Transfer Partner" column.
  3. Move key groups between the "Allowed Key Groups" or the "Disalowed Key Group" column. To move, highlight the key group, and then click < or > to allow or disallow access.