Keystores and truststores

Learn about keystores and truststores.

zosConnect-2.0 Applies to zosConnect-2.0.

Keystores and truststores are repositories that contain cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS.

A keystore contains personal certificates, plus the corresponding private keys that are used to identify the owner of the certificate.

For TLS, a personal certificate represents the identity of a TLS endpoint. Both the client (for example, a REST client) and the server (for example, a IBM® z/OS® Connect server) might have personal certificates to identify themselves.

A truststore contains the signer certificates (also known as certificate authority certificates) which the endpoint trusts.

A signer certificate contains a public key, which is used to validate personal certificates. By installing the server’s signer certificate into the client's truststore, you are allowing the client to trust the server when it establishes a TLS connection. The same principle is true for a server to trust a client when TLS client authentication is enabled.

z/OS Connect supports Java™ KeyStores (JKS), Public Key Cryptography Standards #12 (PKCS12), and SAF key rings.

JKS keystore type

A Java Keystore (JKS) is a common keystore type that is used for Java environments because it is easier to set up. JKSs use files with a .jks extension that are stored in the zFS file system. The JKS is referenced by the keyStore element in the server.xml configuration file. You can use a JKS for both keystores and truststores.

PKCS12 keystore type

Public Key Cryptography Standards #12 (PKCS12) is an industry standard keystore type, which makes it compatible with other products. PKCS12 keystores use files with a .p12 extension that are stored in the zFS file system. The PKCS12 keystore is referenced by the keyStore element in the server.xml configuration file. You can use a PKCS12 type for both keystores and truststores.

PKCS12 is the default keystore type in IBM z/OS Connect.

SAF key rings

You can also use SAF key rings as keystores and truststores. SAF key rings are under the control of SAF security administrators. z/OS Connect supports the following keystore types for SAF key rings:

JCERACFKS when the IBMJCE security provider is used.
JCECCARACFKS when the IBMJCECCA security provider is used.
JCEHYBRIDRACFKS when the IBMJCEHYBRID security provider is used.

For more information about using different Java Cryptography Extension (JCE) security providers, see Hardware cryptography.

The SAF key ring is referenced by the keyStore element in the server.xml configuration file, and the type of keystore is specified in the location and type attributes.

Table 1. Relationship between JCE provider, keystore location, and keystore type.. Shows the location and type of keystore for different security providers
JCE provider	server.xml
	ssl keystore location attribute	ssl keystore type attribute
IBMJCE	`location="safkeyring:///"`	`type="JCERACFKS"`
IBMJCECCA	`location="safkeyringhw:///"`	`type="JCECCARACFKS"`
IBMJCEHYBRID	`location="safkeyringhybrid:///"`	`type="JCEHYBRIDRACFKS"`

To learn how z/OS Connect can use keystores and truststores, see either API provider confidentiality and integrity when IBM z/OS Connect is acting as an API provider, or API requester confidentiality and integrity when IBM z/OS Connect is acting as an API requester.