Define a keystore for software encryption using the iKeyman utility

Edit online

These steps define and open a keystore for software encryption using the iKeyman utility.

Use this procedure to open the cryptographic key database.
  1. Invoke the iKeyman facility by issuing the following command. The iKeyman facility is a graphical user interface, so an X11 or VNC graphical environment must already be active before running iKeyman.
    java com.ibm.gsk.ikeyman.Ikeyman
  2. Create a Java™ key database if one does not already exist:
    1. Click Key Database File > New.
    2. In the New window, complete these fields:
      • Key database type - Accept the default of jks.
      • File name - Type the file name. An example is testkeys.jks.
      • Location - Enter a directory into which the JKS keystore is placed.
    3. Click OK.
    4. At the password prompt:
      1. Type a password.
      2. Choose a password expiration date.
      3. Record the password for future use when opening the keystore.
      4. Click OK.
  3. If a Java key database already exists:
    1. Open the testkeys.jks keystore database with Key Database Type: JKS.
    2. Enter a password for the software keystore database that to later be used for software encryption testing.

    For JSSE testing, keystore file testkeys.jks was in the /home/jsse directory.

  4. Create a self-signed certificate. This task is done on both JSSE client and server.
    1. Select Keystore content > Personal certificate.
    2. Select New self signed.
    3. Enter a key label. The name does not matter, but it should be unique.
    4. Accept all defaults.
    5. Click OK.
  5. To export, click Extract certificate, which creases a .cert file to import a certificate. Do this step on both JSSE client and server.
  6. Transfer the .cert file to the local file system of each other system used in the study.
  7. Select Signer certificates in the pull down menu under the label Keystore content.
  8. Click Add.
  9. Type the path of the .cert file.
  10. Click Open.
  11. Click OK.
  12. Type a label. The name does not matter as long there is only one, so use the same name as on the original keystore.
  13. Click OK.
  14. Add (import) the certificate after extracting it to a cert.arm file on the other systems that are to do SSL handshakes with this system.

    When reviewing the signer certificates, you must see a signed certificate from the other system as well as the signed certificates generated locally on this system.

It is advisable to use meaningful names, such as: certClient.arm and certServer.arm instead of the default name cert.arm. An alternative is to use host names in the file names, to indicate which certificate came from which system.