z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF

PKCS #11 and Setting CLEARKEY resource within CRYPTOZ class

z/OS Cryptographic Services System SSL Programming

The CLEARKEY.token-name resource within the CRYPTOZ class controls the ICSF policy for creating a clear key versus a secure key. When the resource is defined and set to NONE, System SSL's usage of the PKCS #11 callable services to generate keys is restricted to secure keys only. This causes functions within System SSL to fail. System SSL uses both explicit tokens and the SYSTOK-SESSION-ONLY omnipresent token.

The following are examples that can fail in this environment in System SSL:
  • The gskkyman utility or CMS APIs that create ECC or DH (FIPS mode) keys or certificates.
  • Ephemeral ECDH and Ephemeral DH key exchanges during a SSL/TLS handshake.

Go to the previous page Go to the next page

Copyright IBM Corporation 1990, 2014