Creating a key database

Edit online

A key database enables VPN endpoints to connect using valid digital certificates. The key database (*.kdb) format is used with IP Security VPNs.

The following types of CA digital certificates are provided with Key Manager:

  • RSA Secure Server Certification Authority
  • Thawte Personal Premium Certification Authority
  • Thawte Personal Freemail Certification Authority
  • Thawte Personal Basic Certification Authority
  • Thawte Personal Server Certification Authority
  • Thawte Server Certification Authority
  • Verisign Class 1 Public Primary Certification Authority
  • Verisign Class 2 Public Primary Certification Authority
  • Verisign Class 3 Public Primary Certification Authority
  • Verisign Class 4 Public Primary Certification Authority

These signature digital certificates enable clients to attach to servers that have valid digital certificates from these signers. After you create a key database, you can use it as created to attach to a server that has a valid digital certificate from one of the signers.

To use a signature digital certificate that is not on this list, you must request it from the CA and add it to your key database. See Adding a CA root digital certificate.

To create a key database using the certmgr command, use the following procedure:

  1. Start the Key Manager tool by typing: 
    # certmgr
  2. Select New from the Key Database File list.
  3. Accept the default value, CMS key database file, for the Key database type field.
  4. Enter the following file name in the File Name field: 
    ikekey.kdb
  5. Enter the following location of the database in the Location field: 
    /etc/security
    Note: The key database must be named ikekey.kbd and it must be placed in the /etc/security directory. Otherwise, IP Security cannot function correctly.
  6. Click OK. The Password Prompt screen is displayed.
  7. Enter a password in the Password field, and enter it again in the Confirm Password field.
  8. If you want to change the number of days until the password expires, enter the desired number of days in the Set expiration time? field. The default value for this field is 60 days. If you do not want the password to expire, clear the Set expiration time? field.
  9. To save an encrypted version of the password in a stash file, select the Stash the password to a file? field and enter Yes.
    Note: You must stash the password to enable the use of digital certificates with IP Security.
  10. Click OK. A confirmation screen displays, verifying that you have created a key database.
  11. Click OK again and you return to the IBM® Key Management screen. You can either perform other tasks or exit the tool.