Key store settings
Use this page to create all keystore types, including cryptographic, Resource Access Control Facility (RACF®), Certificate Management Services (CMS), Java™, and all truststore types.
To view this administrative console page, click . Under Configuration settings, click. Under Related Items, click Key stores and certificates. Click either New or an existing keystore.
Links to Personal certificates, Signer certificates, and Personal certificate requests enable you to manage certificates in a manner similar to iKeyman capabilities. A keystore can be file-based, such as CMS or Java keystore types, or it can be remotely managed.
Name
Specifies the unique name to identify the keystore. The keystore is typically scoped by the ManagementScope scopeName based on the location of the keystore. The name must be unique within the existing keystore collection.
| Information | Value |
|---|---|
| Data type: | Text |
Description
Specifies the description of the keystore.
| Information | Value |
|---|---|
| Data type: | Text |
Management scope
Specifies the scope where this Secure Sockets Layer (SSL) configuration is visible. For example, if you choose a specific node, then the configuration is only visible on that node and any servers that are part of that node.
| Information | Value |
|---|---|
| Data type: | Text |
Path
Specifies the location of the keystore file in the format needed by the keystore type. This file can be a dynamic link library (DLL) for cryptographic devices or a filename or file URL for file-based keystores. It can be a safkeyring URL for RACF keyrings.
| Information | Value |
|---|---|
| Data type: | Text |
Control region user
Specifies the Control region Started Task user ID in which the Control region System Authorization Facility (SAF) keyring is created. The user ID must match the exact ID being used by the Control region. Note: This option only applies when creating writable SAF keyrings on z/OS®.
| Information | Value |
|---|---|
| Data type: | Text |
Servant region user
Specifies the Servant region Started Task user ID in which the Servant region System Authorization Facility (SAF) keyring is created. The user ID must match the exact ID being used by the Servant region. Note: This option only applies when creating writable SAF keyrings on z/OS.
| Information | Value |
|---|---|
| Data type: | Text |
Password [new keystore] | Password [existing keystore]
Specifies the password used to protect the physical keystore in the operating system. For the default keystore (names ending in DefaultKeyStore or DefaultTrustStore), the password is WebAS. This default password must be changed.
| Information | Value |
|---|---|
| Data type: | Text |
${CONFIG_ROOT}/cells/CELLNAME/yourkeystore.kdb.Confirm password
Specifies confirmation of the password to open the keystore file or device.
| Information | Value |
|---|---|
| Data type: | Text |
Type
Specifies the implementation for keystore management. This value defines the tool that operates on this keystore type.
| Information | Value |
|---|---|
| Data type: | Text |
| Default: | PKCS12 |
Read only
Specifies whether the keystore can be written to or not. If the keystore cannot be written to, certain operations cannot be performed, such as creating or importing certificates.
| Information | Value |
|---|---|
| Default: | Disabled |
Remotely managed
Specifies whether the key store is remotely managed, which means that a remote MBean call is needed to update the key store based on the host name specified in the host list field. Most hardware cryptographic token devices are remotely managed. If a key store is marked remotely managed, list the host name of the server where the device is installed in the Host list field.
| Information | Value |
|---|---|
| Default: |
Initialize at startup
Specifies whether the keystore needs to be initialized before it can be used for cryptographic operations. If enabled, the keystore is initialized at server startup.
| Information | Value |
|---|---|
| Default: | Disabled |
Enable cryptographic operations on hardware device
Specifies whether a hardware cryptographic device is used for cryptographic operations only. Operations that require a login are not supported when using this option.
| Information | Value |
|---|---|
| Default: | Disabled |