Storing an AES password encryption key in the SAF key ring

You can use the z/OS Password Encryption Key feature (zosPasswordEncryptionKey-1.0) to securely store Advanced Encryption Standard (AES) passwords in Liberty. This feature obtains the AES encryption key for an encrypted password at run time so the password is not stored in the server configuration.

• To use an encryption key that is stored in the SAF key ring, enable the zosPasswordEncryptionKey-1.0 feature in your server.xml file.
  Specify the key ring details and identify the personal certificate that holds the private key in the zosPasswordEncryptionKey element.

  <featureManager>
  <feature>zosPasswordEncryptionKey-1.0</feature>
  </featureManager>
  
  <zosPasswordEncryptionKey keyring="safkeyring:///KEYRING" label="WLP" type="JCERACFKS" />

  With this configuration, you can access the key ring and retrieve the private key from the certificate that is specified by the label attribute.
• You can also use the securityUtility encode command to generate an AES encrypted password from the SAF key ring. While the securityUtility command can specify the encryption key on the command line, you can also retrieve the encryption key from the SAF key ring.
  Specify the —-keyring, —-keyringType, and the —-keyLabel options on the command line to access the private key that is used for the encryption key. You must be authorized to access the SAF key ring to use this option. The following example demonstrates the correct syntax for the securityUtility encode command.

  securityUtility encode —-encoding=aes —-keyring=safkeyring:///KEYRING1 —-keyringType=JCERACFKS —keyLabel=WLP passwordToEncrypt