Initializing a keystore file

A keystore file is a database file that stores operational keys, that is keys encrypted under the master key. This topic provides information on how to keep records of your DES and PKA keys on systems running the IBM i operating system.

You can initialize two different types of keystores for your Cryptographic Coprocessor. The Cryptographic Coprocessor uses one type to store PKA keys and the other to store DES keys. You need to initialize a keystore file if you plan to store keys in it. Even though retain keys are not stored in a keystore file, one is still required because CCA searches for labels in key store files before it searches for labels in the coprocessor.

The CCA CSP creates a DB2® keystore file, if one does not already exist. If a keystore file already exists, the CCA CSP deletes the file and recreates a new one.

To initialize a keystore, you can use the Cryptographic Coprocessor configuration utility. Click on Manage configuration and then click on AES keys, DES keys, or PKA keys depending upon what keystore file you wish to initialize. With the utility, you can only initialize a file if it does not already exist.

If you would rather write your own application to initialize a keystore file, you can do so by using the KeyStore_Initialize (CSNBKSI) API verb.

After you create a keystore for your Cryptographic Coprocessor, you can generate DES and PKA keys to store in your keystore files.