Key set groups settings

To create new key set groups.

To view this admin console page, click Security > SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration. Under Related items, click Key set groups. Then click the New button.

Key set group name

Name of key set group used. This name can be referenced using the API to retrieve the managed keys from an application.

Data type: Text

Key sets

Specifies a set of key instances of the same type for use in cryptographic operations.


Specifies to add the selected key set part of this key set group.


Specifies to remove the selection from the Key sets list.

Automatically generate keys

The keys are generated automatically on a schedule.

When a new key is generated, the security.xml is updated and saved by the runtime to track the key reference version. This can cause save conflicts when updating the same file from admin applications.

Avoid trouble: Starting with Versions and, the default value for this property is Disabled.

If we try to enable this property, and automatic synchronization is off in any node, the following admin console message displays:

Warning: At least one node in the cell was unreachable or is not configured to automatically synchronize.  It is strongly recommended that you verify the node settings, and do not enable automatic  generation of LTPA keys while automatic synchronization is disabled on any node.

Default for Versions 7.0, and Enabled
Default for Versions and higher: Disabled

Scheduled time for generation

Scheduled time when the system generates selected key set group or groups. We can specify the scheduled time in hours and minutes; specify either A.M. or P.M., or specify 24-hour. We can also specify the day of the week you want the scheduled event to occur. IBM recommends set this event to occur during a low peak time, especially for keys that are used by runtime for token validation.

Data type Integer
Default: 0, 0
Range: 1–12, 0–59

Generate on a specific day

Whether to have the generation occur on a specific day of the week. It is best to auto-generate keys during a low peak day.

Default: Enabled


Day of the week on which the expiration monitor will run if the Check on a specific day option is selected.

Default: Sunday
Range: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday

Repeat interval

Period of time between each schedule time to check for expired certificates or the interval between schedule checks.

Default: Daily
Range: Daily, Weekly

Generate at an interval

Specifies to generate keys at the specified frequency regardless of the day of the week on which generation occurs.

Default: Disabled

Next start date

Date for the next scheduled check. This allows the dmgr to be stopped and restarted without resetting the date.


Related tasks

Create an SSL configuration



Keystores and certificates collection
Key set groups collection