Perform the following steps to define a KEYSMSTR profile
and store an encryption key.
- Choose a type of key encryption. Base your choice of encryption
type on whether your system has cryptographic software, such as ICSF,
installed.
If you have… |
Then use… |
Notes® |
---|
Cryptographic software installed |
Key encryption (KEYENCRYPTED operand) |
Cryptographic software must be active
on the system when you define the KEYSMSTR profile. |
No cryptographic software installed |
Key masking (KEYMASKED operand) |
|
______________________________________________________________________
- Create a profile in the KEYSMSTR class
to define and store your encryption key, using your choice of encryption
type as the operand of the SSIGNON segment.
Example:
RDEFINE KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYENCRYPTED(0023428875DECFAC))
In
this example, LDAP BIND passwords will be encrypted using the key
stored in the LDAP.BINDPW.KEY profile in the KEYSMSTR class.
The value of the key is 0023428875DECFAC.
Guideline: For
security reasons, choose a key that is known only to you, the security
administrator.
______________________________________________________________________
- Display the profile you created using the RLIST command to verify
that the key is protected.
RLIST KEYSMSTR LDAP.BINDPW.KEY
Result: The
value of your key should not be displayed, but the information shown
indicates whether the key value is masked or encrypted.
Example:
CLASS NAME
----- ----
KEYSMSTR LDAP.BINDPW.KEY
SSIGNON INFORMATION
-------------------
KEYENCRYPTED DATA NOT DISPLAYABLE
______________________________________________________________________
- Activate
the KEYSMSTR class.
Example:
SETROPTS CLASSACT(KEYSMSTR)
Rule: You
must activate the
KEYSMSTR class
before RACF® will use the keys
stored in the
KEYSMSTR profiles.
______________________________________________________________________
When you are done, the key that you stored in the SIGNON segment
of the KEYSMSTR profile will be used to encrypt and decrypt LDAP passwords.