+

Search Tips   |   Advanced Search

Key store settings

Use this page to create all keystore types, including...

To view this console page, click...

Links to Personal certificates, Signer certificates, and Personal certificate requests enable you to manage certificates in a manner similar to iKeyman capabilities. A keystore can be file-based, such as CMS or Java keystore types, or it can be remotely managed.

Any changes made to this panel are permanent.


Name

Unique name to identify the keystore. The keystore is typically scoped by the ManagementScope scopeName based on the location of the keystore. The name must be unique within the existing keystore collection.

Information Value
Data type: Text


Description

Description of the keystore.

Information Value
Data type: Text


Management scope

Scope where this SSL configuration is visible. For example, if you choose a specific node, then the configuration is only visible on that node and any servers that are part of that node.

Information Value
Data type: Text


Path

Location of the keystore file in the format needed by the keystore type. This file can be a dynamic link library (DLL) for cryptographic devices or a filename or file URL for file-based keystores. It can be a safkeyring URL for RACF keyrings.

Information Value
Data type: Text


Control region user

Specifies the Control region Started Task user ID in which the Control region System Authorization Facility (SAF) keyring is created. The user ID must match the exact ID being used by the Control region. Note: Applies when creating writable SAF keyrings on z/OS .

Information Value
Data type: Text


Servant region user

Servant region Started Task user ID in which the Servant region System Authorization Facility (SAF) keyring is created. The user ID must match the exact ID being used by the Servant region. Note: Applies when creating writable SAF keyrings on z/OS.

Information Value
Data type: Text


Password [new keystore] | Password [existing keystore]

Password used to protect the physical keystore in the operating system. For the default keystore (names ending in DefaultKeyStore or DefaultTrustStore), the password is WebAS. This default password must be changed.

This field can be edited.

Information Value
Data type: Text

To push the key store to all nodes, the path should be: ${CONFIG_ROOT}/cells/CELLNAME/yourkeystore.kdb.


Confirm password

Specifies confirmation of the password to open the keystore file or device.

Information Value
Data type: Text


Type

Implementation for keystore management. This value defines the tool that operates on this keystore type.

The list of options is returned by java.security.Security.getAlgorithms("KeyStore"). Some options might be filtered and some might be added based on the java.security configuration.

Information Value
Data type: Text
Default: PKCS12


Read only

Whether the keystore can be written to or not. If the keystore cannot be written to, certain operations cannot be performed, such as creating or importing certificates.

Information Value
Default: Disabled


Remotely managed

Whether the key store is remotely managed, which means that a remote MBean call is needed to update the key store based on the host name specified in the host list field. Most hardware cryptographic token devices are remotely managed. If a key store is marked remotely managed, list the host name of the server where the device is installed in the Host list field.

Information Value
Default:


Initialize at startup

Whether the keystore needs to be initialized before it can be used for cryptographic operations. If enabled, the keystore is initialized at server startup.

Information Value
Default: Disabled


Enable cryptographic operations on hardware device

Whether a hardware cryptographic device is used for cryptographic operations only. Operations that require a login are not supported when using this option.

Information Value
Default: Disabled


Related tasks

(zos) Create writable SAF keyrings

Keystores and certificates collection