z/OS® provides several facilities to manage tokens:
A C language application programming interface (API) that implements
a subset of the PKCS #11 specification. For a description of this
API, see The C API.
PKCS #11 specific ICSF callable services. The C API uses these
callable services. For information about these callable services,
see ICSF PKCS #11 callable services.
ISPF panels. The ICSF ISPF panels provide the capability to see
a formatted view of TKDS objects, and make limited updates to them.
The RACF® RACDCERT command supports the certificate,
public key, and private key objects, and provides the following subfunctions
to manage these objects:
ADDTOKEN - creates a new empty token
DELTOKEN - deletes an existing token and everything in
it
LISTTOKEN - displays information on the certificate objects
in a token and whether associated public and private key objects exist
BIND - connects a RACF certificate,
its public key, and potentially its private key to an existing token
UNBIND - removes a certificate and its keys from a token
The RACF R_Datalib callable service (IRRSDL00) allows
applications to read tokens by providing a user ID of *TOKEN* to
indicate that the key ring name is really a token name. For information
about R_Datalib, see z/OS Security Server RACF Callable Services.
Note: IRRSDL00 was originally created to allow applications to
read RACF (SAF) key rings, but has been enhanced to
read PKCS #11 tokens as well. Thus applications written to read key
rings can also read tokens without being modified.