Product Documentation

The loadBaseDerivationKey (LBK) operation takes a set of previously stored Key Components and assembles them into a BDK. This BDK is not persisted to the appliance and is used to process transactions in the CardCryptoService (CCS) Servlet. The loadBaseDerivationKey web service requires six parameters:

DID

The unique encryption domain identifier.

username

The username (service credential) within the encryption domain with the authorization to call this web service. The credential requires the Key Component Custodian (KMO) privilege.

password

The password of the username to authenticate the credential of the requester.

keyname

Identifier for the assembled key. This must match the keyname provided for each of this key's Key Components submitted to the loadKeyComponent web service.

kcv

Hex-encoded string representing the KCV for the assembled key.

mfr

The numerical identifier of the manufacturer for which this BDK is assigned. Please see Chapter 5 for a detailed explanation of Manufacturer IDs.

When SAKA receives the request, it verifies the credentials presented against its internal database—or an optional LDAP directory server—and determines their authorization to request the loadBaseDerivationKey service by verifying if they are a member of the KMCAuthorized group. If using LDAP, this group and its members must be created in the LDAP directory as a distinct task of the SAKA installation process; when using the SAKA internal database, this group is created automatically.

If the requester is authorized, SAKA proceeds to check for the key components of this key. If all the necessary key components are found, the BDK is assembled from these key components. The KCV provided in the web service call is compared to the KCV of this generated key. If they do not match, the integrity of the key cannot be confirmed and the request will fail. If the integrity of the key is confirmed, the key is ready for use with CCS web services.

 https://demo4.strongkey.com/getstarted/assets/documents/HTML/images/key_strong_cyan.pngNOTE: If the application server or the appliance is rebooted, the assembled key will be erased and must be reloaded into the appliance. If permanent storage is desired, refer to the storeAnsiX9241Key web service.

Once the BDK is successfully loaded, the following values will be returned, either as a JSON or XML string; in the case of SOAP, the JSON or XML string is embedded in the objectContent attribute of the CCReturnObject object:

DID

The unique encryption domain identifier for the domain that serviced this request.

SRID

A unique request identifier for this transaction.

KCV

The KCV of this loaded component.