The MCP Cryptographic Services Manager of Security Center enables the security administrator to generate and manage keys, certificates, and certificate stores. The administrator, with appropriate privileges, can configure keys and certificates and inquire on keys and certificates.
Public key infrastructure (PKI) functions provided by the MCP Cryptographic Services Manager are the following:
-
Backup and restore keys used for Enterprise Database Server encryption.
-
Create a public and private RSA or ECC key pair and a key container.
-
Create or import a symmetric key (for use with IPsec).
-
Create a certificate request by using the RSA or ECC public/private key pair.
-
Import and export keys for disk encryption.
-
Import and export of SSH keys through PEM and OpenSSH SSH2 PEM standards.
-
Import of remote SSH host keys (SSH keyscan).
-
Install a certificate created by a certificate authority and signed by SHA-1 (although deprecated), SHA-256, SHA-384, or SHA-512.
-
Install a trusted root certificate.
-
Install a key and certificate through PKCS12.
-
Manage public keys for server and client authentication with the SSH/SFTP protocols.
-
Remote testing of SSL/TLS connection trust (SSL/TLS Connection Wizard).
MCP Cryptographic Services Manager supports generation of asymmetric and symmetric keys. It includes two symmetric key algorithms (AES128 and TDES for IPsec), one hash algorithm (SHA-1 for IPsec), and two asymmetric key algorithms (RSA for SSL/TLS/SSH or ECC for SSL/TLS). On some systems, another symmetric key algorithm (AES256 for IPsec) and two additional hash algorithms (SHA-256 and SHA-512) are available for IPsec. MCP Cryptographic Services Manager supports the PKCS7, PKCS10, and BER/DER base-64 encoding of X.509 certificates, and import of keys and certificates through PKCS12.
Keys that control tape encryption are maintained in keysets, which are managed through the MCP Cryptographic Services Manager. Keysets can be securely transported between systems (so that the media can be decrypted on other systems) and can be aged or marked as compromised (for example, if they have reached the end of policy as set in the local security policy, or if the security administrator wants to create a new keyset for use). Keysets can always be used to decrypt tapes, but only one set may be marked active to create encrypted media.
