Managing X509 certificate and private key
Manage a X509 certificate and a private key in the ICSF PKCS#11 token data set by using
System SSL program gskkyman, RACF® command
RACDCERT, and hwkeytool.
Information about the various tools is available in the following topics. Refer to corresponding
documents for your version of z/OS®.
- For information about
gskkyman, see z/OS Cryptographic Services System SSL Programming. - For information about RACDCERT, see z/OS Security Server RACF Command Language Reference and z/OS Security Server RACF Security Administrator's Guide.
- For information about viewing objects such as an X509 certificate or private key object in the TKDS and making limited updates to those objects, by using ISPF panels, see z/OS Cryptographic Services ICSF Administrator's Guide.
- For information about
hwkeytool, see hwkeytool key and certificate management utility.
The SunPKCS11 provider allows a Java™ application to access
the ICSF PKCS#11 token data set through java.security.KeyStore methods.
The IBMJCECCA keystore application
hwkeytool now supports PKCS#11 keystores when
the IBMJCECCA and SunPKCS11 providers are present in the security properties file.
-keystore must be set as NONE if -storetype is
PKCS#11. The following example shows how to list a PKCS#11
keystore:hwkeytool -list -storetype PKCS11 -keystore NONEThe Java tools ikeyman and ikeycmd (the command line version of
ikeyman) that may be used to manage PKCS#11 tokens and objects on other operating
systems are not supported on z/OS.