Key store settings
Create all keystore types, including cryptographic, Resource Access Control Facility (RACF ), Certificate Management Services (CMS), Java, and all truststore types.
From the admin console, click...
Security > SSL certificate and key management > Configuration settings > Manage endpoint security configurations > {Inbound | Outbound} > Related Items > Key stores and certificates
Click either New or an existing keystore.
Links to Personal certificates, Signer certificates, and Personal certificate requests allow us to manage certificates in a manner similar to iKeyman capabilities. A keystore can be file-based, such as CMS or Java keystore types, or it can be remotely managed.
Any changes made to this page are permanent.
Name
Unique name to identify the keystore. The keystore is typically scoped by the ManagementScope scopeName based on the location of the keystore. The name must be unique within the existing keystore collection.
Information Value Data type: Text
Description
Description of the keystore.
Information Value Data type: Text
Management scope
Scope where this SSL configuration is visible. For example, if we choose a specific node, then the configuration is only visible on that node and any servers that are part of that node.
Information Value Data type: Text
Path
Location of the keystore file in the format needed by the keystore type. This file can be a dynamic link library (DLL) for cryptographic devices or a filename or file URL for file-based keystores. It can be a safkeyring URL for RACF keyrings.
Information Value Data type: Text
Control region user
The Control region Started Task user ID in which the Control region System Authorization Facility (SAF) keyring is created. The user ID must match the exact ID being used by the Control region. Note: This option only applies when creating writable SAF keyrings on z/OS .
Information Value Data type: Text
Servant region user
The Servant region Started Task user ID in which the Servant region System Authorization Facility (SAF) keyring is created. The user ID must match the exact ID being used by the Servant region. Note: This option only applies when creating writable SAF keyrings on z/OS.
Information Value Data type: Text
Password [new keystore] | Password [existing keystore]
Password used to protect the physical keystore in the operating system. For the default keystore (names ending in DefaultKeyStore or DefaultTrustStore), the password is WebAS. This default password must be changed.
This field can be edited.
Information Value Data type: Text
To push the key store to all nodes, the path should be: ${CONFIG_ROOT}/cells/CELLNAME/yourkeystore.kdb.
Confirm password
Specifies confirmation of the password to open the keystore file or device.
Information Value Data type: Text
Type
The implementation for keystore management. This value defines the tool that operates on this keystore type.
The list of options is returned by java.security.Security.getAlgorithms("KeyStore"). Some options might be filtered and some might be added based on the java.security configuration.
Information Value Data type: Text Default: PKCS12
Read only
Specifies whether the keystore can be written to or not. If the keystore cannot be written to, certain operations cannot be performed, such as creating or importing certificates.
Information Value Default: Disabled
Remotely managed
Specifies whether the key store is remotely managed, which means that a remote MBean call is needed to update the key store based on the host name specified in the host list field. Most hardware cryptographic token devices are remotely managed. If a key store is marked remotely managed, list the host name of the server where the device is installed in the Host list field.
Information Value Default:
Initialize at startup
Specifies whether the keystore needs to be initialized before it can be used for cryptographic operations. If enabled, the keystore is initialized at server startup.
Information Value Default: Disabled
Enable cryptographic operations on hardware device
Specifies whether a hardware cryptographic device is used for cryptographic operations only. Operations that require a login are not supported when using this option.
Information Value Default: Disabled
Create a Secure Sockets Layer configuration (ZOS) Create writable SAF keyrings Keystores and certificates collection