KEYRING (FTP client) statement

Use the KEYRING statement to define the key ring that contains the certificate to be used during the TLS handshake. Specifies the key ring database on the client’s system.

Note: This parameter is only meaningful if TLSMECHANISM FTP is specified. If TLSMECHANISM ATTLS is specified, then the keyring must be configured in the AT-TLS policy.

Syntax

Parameters

keyringname: The name of the keyring. If the name begins with a slash (/), it is the name of the key database HFS file. Otherwise, it is an SAF keyring created by using the RACF® ADDRING function.

userid/keyringname

Allows multiple FTP users to share one key ring owned by another user. The keyringname value is the SAF key ring created by using the RACF ADDRING function. The userid value must be the user that owns the key ring.

Restrictions:

For a SAF keyring, all users must be given access to the keyring. If keyring access is protected using the RDATALIB class, the users must have READ access to KeyRingOwner.KeyRingName.LST resource. For example, for a SAF key ring defined as RING01 that is owned by the user ID SHAREID, the users would need to be given READ access to the SHAREID.RING01.LST resource in the RDATALIB class.
If keyring access is protected using the FACILITY class, the users must have UPDATE access to the IRR.DIGTCERT.LISTRING resource in the FACILITY class when using an SAF key ring owned by another user.

Examples

KEYRING /u/user33/keyring/key.kdb

KEYRING user33/ftpring

KEYRING ftpring

Guideline: For an SAF keyring, if the userid is omitted, the user ID specified on the FTP USER command by the client is used.

Usage notes

KEYRING is required if TLS is used as a security mechanism.
The SECURE_MECHANISM TLS and TLSMECHANISM FTP statements must be coded for this statement to be used by an FTP client.