Supported keystore types

The following types are supported in SDK Version 8 through IBMJCE, the default cryptographic service provider.
  • JKS
  • JCEKS . This keystore implementation employs a much stronger protection of private keys (using password-based encryption with Triple DES) than JKS. You can upgrade your keystore of type "JKS" to type "JCEKS" by changing the password of a private-key entry in your keystore.
  • Start of changes for service refresh 1 fix pack 10PKCS12. The keytool in an IBM JVM uses a PKCS12 keystore to store secret key entries, private key entries, and trusted certificate entries.End of changes for service refresh 1 fix pack 10
  • Start of changes for service refresh 1 fix pack 10PKCS12S2. This is a second version of PKCS12 type keystore, which provides the same function, and exhibits the same behavior as the PKCS12 keystore type.End of changes for service refresh 1 fix pack 10
  • JCERACFKS. This is a RACF® keyring keystore. This type is available only on z/OS® systems with RACF installed.

    When using JCERACFKS keystore, you must always specify the -keystore option. This is no default value.

    For JCERACFKS, the particular RACF keyring must be specified using the -keystore option, using the following syntax: safkeyring://userid/ringname. You must also specify the class to handle the RACF keyring using the -J-D options to specify the java.protocol.handler.pkgs property. The following example lists all entries in the keyring "myring" owned by userid "SUSAN": 
    keytool -list -storetype JCERACFKS -keystore safkeyring://SUSAN/myring -J-Djava.protocol.handler.pkgs=com.ibm.crypto.provider

    For more information about JCERACFKS keystores, see Regarding RACF keystores.