Storing an AES password encryption key in the SAF key ring

We can use the z/OS Password Encryption Key feature (zosPasswordEncryptionKey-1.0) to securely store Advanced Encryption Standard (AES) passwords in Liberty. This feature obtains the AES encryption key for an encrypted password at run time so the password is not stored in the server configuration.

We can specify the AES encryption key in your server configuration with the wlp.password.encryption.key variable. However, as a more secure alternative, we can use a private key stored in the System Authorization Facility (SAF) key ring.

When the zosPasswordEncryptionKey-1.0 feature is enabled, we can retrieve the AES encryption key from the System Authorization Facility (SAF) key ring using the process credentials instead of the configured password. When this feature is enabled, the wlp.password.encryption.key variable is ignored.

To use an encryption key that is stored in the SAF key ring, enable the zosPasswordEncryptionKey-1.0 feature in the server.xml file. Specify the key ring details and identify the personal certificate that holds the private key in the zosPasswordEncryptionKey element.
With this configuration, we can access the key ring and retrieve the private key from the certificate specified by the label attribute.
We can also use the securityUtility encode command to generate an AES encrypted password from the SAF key ring. While the securityUtility command can specify the encryption key on the command line, we can also retrieve the encryption key from the SAF key ring. Specify the —-keyring, —-keyringType, and the —-keyLabel options on the command line to access the private key used for the encryption key. We must be authorized to access the SAF key ring to use this option. The following example demonstrates the correct syntax for the securityUtility encode command.