z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for storing a key in a KEYSMSTR profile

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Perform the following steps to define a KEYSMSTR profile and store an encryption key.

  1. Choose a type of key encryption. Base your choice of encryption type on whether your system has cryptographic software, such as ICSF, installed.
    If you have… Then use… Notes®
    Cryptographic software installed Key encryption (KEYENCRYPTED operand) Cryptographic software must be active on the system when you define the KEYSMSTR profile.
    No cryptographic software installed Key masking (KEYMASKED operand)  

    ______________________________________________________________________

  2. Create a profile in the KEYSMSTR class to define and store your encryption key, using your choice of encryption type as the operand of the SSIGNON segment.
    Example:
    RDEFINE KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYENCRYPTED(0023428875DECFAC))

    In this example, LDAP BIND passwords will be encrypted using the key stored in the LDAP.BINDPW.KEY profile in the KEYSMSTR class. The value of the key is 0023428875DECFAC.

    Guideline: For security reasons, choose a key that is known only to you, the security administrator.

    ______________________________________________________________________

  3. Display the profile you created using the RLIST command to verify that the key is protected.
    RLIST KEYSMSTR LDAP.BINDPW.KEY

    Result: The value of your key should not be displayed, but the information shown indicates whether the key value is masked or encrypted.

    Example:
        CLASS      NAME                
    -----      ----                
    KEYSMSTR   LDAP.BINDPW.KEY     
                                   
    SSIGNON INFORMATION            
    -------------------            
    KEYENCRYPTED DATA NOT DISPLAYABLE

    ______________________________________________________________________

  4. Activate the KEYSMSTR class.
    Example:
    SETROPTS CLASSACT(KEYSMSTR)
    Rule: You must activate the KEYSMSTR class before RACF® will use the keys stored in the KEYSMSTR profiles.

    ______________________________________________________________________

When you are done, the key that you stored in the SIGNON segment of the KEYSMSTR profile will be used to encrypt and decrypt LDAP passwords.

Parent topic: Storing encryption keys using the KEYSMSTR class

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014