GSSKYMAN Utility Certificate Parameter Definitions
This table describes the minimum parameter definitions required for Connect:Direct® Secure Plus for z/OS®. Consult the GSKKYMAN documentation for detailed information about all the certificate parameters and commands. If you plan to use FIPS mode, see z/OS V1R11.0 Cryptographic Services System Sockets Layer Programming SC24-5901-08 for more information about System SSL and FIPS mode.
GSKKYMAN Parameter | Description | Value Required for Connect:Direct Secure Plus Option |
---|---|---|
Label | Certificate label. LABEL keywords are case and blank sensitive; therefore, the values specified for these keywords must be exact. | Information to identify the certificate, for example, CD Secure
Plus Note: Specify the exact Label value in the Certificate Label field in the
local node record of the Connect:Direct Secure Plus parameter file.
Note: Use the default certificate defined in the key store. Leave the certificate
label field in the local record as blank. Ensure that a default certificate exist in the
keystore.
|
Version | X.509 certificates with version number 3 are supported. | 3 |
Trusted | Specifies the certificate status. | Yes |
Effective Date | Specifies the local date and time from which the certificate is valid. | Must be a valid date and time |
Expiration Date | Specifies the local date and time after which the certificate is no longer valid. All certificates used in the SSL/TLS handshake, including issuer certificates, must not be expired. | Must be a valid date and time |
keyUsage | Facilitates identification and key exchange during SSL/TLS security handshakes. | Digital Signature (Required) Non-repudiation Key encipherment Data encipherment |
Issuer Name | Specifies the distinguished name of the Issuer that issued or signed a certificate. The name identifies the trusted certificate of the issuer or CA that signed the server certificate. The CA or entity certificate with that name must be available within the key database or keyring. The Issuer Name keywords are case and blank sensitive. Self-signed certificates have the same Issuer name and Subject name. | |
Certificate Subject Name | Specifies the certificate's subject distinguished name. It identifies the certificate. This name can identify certificates that may have issued or signed other certificates and can match to other certificates Issuer's Name. | The following fields are attributes of the Certificate
Subject Name parameter: CN=Common Name of the certificate in single quotes, for example, ‘RACF SELF SIGN COMMON' T='Title of person creating certificate' OU='Organizational Unit associated with the person creating the certificate' O='Organization for which the certificate is being created' L='Locality (city) of the entity for which the certificate is created' SP='State/Province of the locality' C='Country of the locality' |
Public Key Algorithm | Specifies the algorithm used to encrypt data. | |
Public Key Size | Specifies the size of the public key expressed in decimal bits. Key size of 1024 provides a secure encryption. A larger size provides a more secure encryption but requires more CPU to encrypt. | |
Key database password | Specifies the password used when you created a key database file. | When you specify a gskkyman key database file name in the Certificate Pathname field for the local node record, you must specify the key database password in the Certificate Pathname Pass Phrase field. |
Default | Specifies that the certificate is the default certificate. Only one certificate can be the default certificate. Define the end-user server certificate of the local IBM® Connect:Direct node as the default. | YES |