Keystores and truststores
Learn about keystores and truststores.
Keystores and truststores are repositories that contain cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS.
A keystore contains personal certificates, plus the corresponding private keys that are used to identify the owner of the certificate.
For TLS, a personal certificate represents the identity of a TLS endpoint. Both the client (for example, a REST client) and the server (for example, a IBM® z/OS® Connect server) might have personal certificates to identify themselves.
A truststore contains the signer certificates (also known as certificate authority certificates) which the endpoint trusts.
A signer certificate contains a public key, which is used to validate personal certificates. By installing the server’s signer certificate into the client's truststore, you are allowing the client to trust the server when it establishes a TLS connection. The same principle is true for a server to trust a client when TLS client authentication is enabled.
IBM z/OS Connect supports Java™ KeyStores (JKS), Public Key Cryptography Standards #12 (PKCS12), and SAF key rings.
JKS keystore type
A Java Keystore (JKS) is a common keystore type that is used for Java environments
because it is easier to set up. JKSs use files with a .jks extension that are
stored in the zFS file system. The JKS is referenced by the
keyStore element in the
server.xml configuration file. You can use a JKS for both keystores and
PKCS12 keystore type
Public Key Cryptography Standards #12 (PKCS12) is an industry standard keystore
type, which makes it compatible with other products. PKCS12 keystores use files with a
.p12 extension that are stored in the zFS file system. The PKCS12 keystore is
referenced by the
keyStore element in the server.xml
configuration file. You can use a PKCS12 type for both keystores and truststores.
PKCS12 is the default keystore type in IBM z/OS Connect.
SAF key rings
- JCERACFKS when the IBMJCE security provider is used.
- JCECCARACFKS when the IBMJCECCA security provider is used.
- JCEHYBRIDRACFKS when the IBMJCEHYBRID security provider is used.
keyStore element in the
server.xml configuration file, and the type of keystore is specified in the
location and type attributes.
|ssl keystore location attribute
|ssl keystore type attribute