KEYRING

The KEYRING system initialization parameter specifies the fully qualified name of the key ring, within the RACF database, that contains the keys and X.509 certificates used by CICS® support for the secure sockets layer (SSL) and for web services security. The region user ID that will use the key ring must either own the key ring or have the authority to use the key ring if it is owned by a different region user ID. You can create an initial key ring with the DFH$RING exec in CICSTS56.CICS.SDFHSAMP.

Note:
  • The KEYRING parameter is not used by Liberty JVM server's SSL support. If that is your only use of SSL in the CICS region, you do not have to specify the KEYRING parameter.
  • When AT-TLS is used to secure socket sessions, CICS SSL/TLS system initialization parameters such as KEYRING and MINTLSLEVEL are no longer required because the implementation of TLS is provided by AT-TLS policy statements and all encryption and decryption is done outside of the CICS address space. For details, see Introduction to Application Transparent Transport Layer Security (AT-TLS).

    The CICS region user ID still requires access to the key ring that is specified in the AT-TLS policy. If you are migrating from CICS SSL to AT-TLS, you can continue to use the existing CICS-owned key rings and reference them in the AT-TLS policies. If you want to set up new key rings in TCPIP, the CICS region user ID will require access to this new key ring. The server certificate will remain as either a CICS-owned or SITE certificate.

KEYRING=keyring-name
The maximum length of the KEYRING parameter is 47 characters, and the key ring name is case-sensitive. The following formats are accepted as the key ring name:
*
Ring.Name
USERID/*
USERID/Ring.Name
*AUTH*/*
*SITE*/*

where:

*
Specifies a virtual key ring that contains all the certificates owned by the region user ID.
Ring.Name
Specifies a key ring owned by the region user ID.
USERID/*
Specifies a virtual key ring that contains all the certificates owned by the named region user ID (USERID).
USERID/Ring.Name
Specifies a key ring owned by the named region user ID (USERID).
*AUTH*/*
Specifies the system virtual key ring that contains all the CA certificates. It is useful for regions that only use outbound connections and hence don't need individual certificates of their own.
*SITE*/*
Specifies the system virtual key ring that contains all the SITE certificates.

For more information about creating a key ring, see Building a key ring manually.