Enabling secure key management for public key cryptography

Follow the following steps to enable secure key management for public key cryptography. Secure key management for public key cryptography must be installed and enabled on all processors in the loosely coupled complex.

1. Install symmetric secure key management (APAR PJ31450).
2. Determine how many public key pairs you need.
3. Define the PKI master keystore by loading a new file address compute program table (FCTB) with #IPKI fixed file records. See Defining PKI keystore resources for information on how many records to define.
4. Define the PKI memory keystore by specifying the PUBKENT parameter on the PKEYS macro in SIP when defining keypoint C (CTKC) or by using the ZPUBK PUBKENT command.
5. Change the master keystore validation timer, if necessary. The default value is 1 minute. You can change the value by specifying the KEYSVAL parameter on the SKEYS macro or by using the ZKEYS KEYSVAL command.
6. IPL the z/TPF system. If you are enabling PKI support for the first time, you will receive an error during restart because the PKI master keystore is not initialized. Enter ZPUBK INITIALIZE followed by ZPUBK CONFIRM INITIALIZE and IPL the z/TPF system.
7. IPL the other processors in the loosely coupled complex (to enable secure key management for public key cryptography on each).
8. If you want to restrict which programs are allowed to import symmetric keys to the symmetric keystore using the tpf_secure_key_import function, update the secure symmetric key import user exit. By default, all programs are allowed to import keys to the symmetric keystore.
9. Create public key pairs using the ZPUBK GENERATE command.
10. Use the ZKEYS BACKUP command to back up the master keystore.
11. Use the ZPUBK ACTIVATE command to activate the key pairs.
12. Use the ZKEYS BACKUP command to create another backup copy of the master keystore.

Do the following if you want your SSL applications to use private keys created on z/TPF:

1. Create a certificate.
   • If you are creating a self-signed certificate, do the following:
     1. Use the ZPUBK REQCERT command to create a self-signed certificate.
   • If you are creating a certificate request, do the following:
     1. Use the ZPUBK REQCERT command to create a certificate request.
     2. Send the certificate request to a certificate authority (CA) to create and sign a certificate.
     3. Send the certificate to your z/TPF system.
2. Assign the signed certificate file to the SSL application by specifying a path name to the signed certificate on the z/TPF file system.
3. Modify your application to specify the name of the public key pair created by z/TPF.

Related information:

• See Keys management and digital certificates.