Create a keystore configuration for a preexisting keystore file

An SSL configuration references keystore configurations during security processing. If another keystore tool is used to create a keystore file, or the keystore file was saved from a previous configuration, create a new keystore configuration object that references the preexisting keystore file. The server then uses this new keystore configuration object to obtain information from the preexisting keystore file.

A keystore must already exist.

Alternative Method: To create a keystore using the wsadmin tool, use the createKeyStore command of the AdminTask object. See KeyStoreCommands .article.

Tasks

1. Click...
   Security | SSL certificate and key management | Manage endpoint security configurations | {Inbound | Outbound} | Related Items | Key stores and certificates | New

   

2. Type a name in the Name field. This name uniquely identifies the keystore in the configuration.

3. Type the location of the keystore file in the Path field.

   The location can be a file name or a file URL to an existing keystore file.

4. Type the Control region Started Task user ID in which the Control region System Authorization Facility (SAF) keyring is to be created in the Control region user field. The user ID must match the exact ID being used by the Control region. This option only applies when creating writable SAF keyrings on z/OS .

5. Type the servant region Started Task user ID in which the servant region System Authorization Facility (SAF) keyring is to be created in the Servant region user field. The user ID must match the exact ID being used by the Control region. This option only applies when creating writable SAF keyrings on z/OS.

6. (iSeries) Type the keystore password in the Password field. This password is for the keystore file specified in the Path field.

7. Type the keystore password in the Password field.

   This password is for the keystore file specified in the Path field.

   Unlike other keystores, the JCERACFKS keystore is not password protected. However to be compatible with the JCE keystore, which requires a password, the JCERACFKS keystore requires the password password. Security protection for the JCERACFKS keystore is based on the identity of the executing thread for protection with RACF.

8. Type the keystore password again in the Confirm Password field to confirm the password.

9. Select a keystore type from the list. The type selected is for the keystore file specified in the Path field.

10. Select any of the following optional selections:

    • The Read only selection creates a keystore configuration object but does not create a keystore file. If this option is selected, the keystore file specified in the Path field must already exist.

    • The Initialize at startup selection initializes the keystore during runtime.

    • The Enable cryptographic operations on a hardware device specifies whether a hardware cryptographic device is used for cryptographic operations only.

      Operations that require login are not supported when using this option.

11. Click Apply and Save.

We have created a keystore configuration object for the keystore file specified. This keystore can now be used in an SSL configuration.

(ZOS) We also can use this method to add a z/OS keyring file to the configuration. The keyring file must be read only, not file-based.

Subtopics

• (iSeries) Recreating the .kdb keystore internal password record
  
• Configure a hardware cryptographic keystore
  
• Manage keystore configurations remotely
  
• Keystores and certificates collection
  
• Key store settings
  
• Key managers collection
  
• Key managers settings
  

Related:

Keystore configurations for SSL

SSL configurations

Keystores and certificates exchange signers

KeyStoreCommands