OCEP data storage library
Within the OCSF framework, a data storage library service provider module provides persistent storage of security-related objects, such as digital certificates and keys. The OCEP Data Storage Library service provider module is designed to give applications read-only access to key ring information that has been defined and stored in the RACF database.
When the proper authorizations are established, OCEP can access this information from the RACF database. As Table 1 shows, an application can use the OCEP Data Storage Library service provider module to query specific fields in the certificate record.
| Field Name | Description | Length |
|---|---|---|
| Label | The value that identifies the certificate;
it must be unique within the certificate class and user ID. For example, the label "CA Cert" may be used for a certificate for an individual user and for a certificate authority's certificate. Also, two different users may mark their private keys as "My Key". |
1-32 characters (specified in RACF) |
| Subject DN | The DER-encoded X.500 Subject's Distinguished Name; it is not unique to this certificate. | 256 bytes or less |
| Default for Ring Attribute | A binary boolean field that indicates
if a default is specified; the value is unique to this certificate:
|
4 bytes |
- DER-encoded certificate
- Private key for a user certificate, if it exists and if the calling user ID owns this certificate
- RACF user ID that owns the certificate
- Label associated with this certificate
- Subject DN
- Key type
- Key size
This information is only returned for certificates that have been marked as trusted by RACF. If the certificate is not trusted, it will not be returned to the application.
For more information about the OCEP Data Library service provider module and the supported APIs, see Using data storage library services.