Creating writable SAF keyrings
WebSphere® provides the function to allow a WebSphere administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by using the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task creates new keystore configurations and their associated keyrings.
Before you begin
safkeyring:///your_keyring_name
. Attention: The JCERACFKS keystore type, is only available on the z/OS® platform.
Important: You must enable support for writable keyrings
using the profile management tool prior to generating the application
server profiles. Writable keyring support is only configurable when
running at z/OS Release 1.9 or at z/OS Release
1.8 with APAR OA22287 - RACF (or the APAR for your equivalent
security product) and APAR OA22295 – SAF.
About this task
Procedure
Results
What to do next
RACF keyring considerations
- Certificate Deletion
- When a certificate is deleted from a RACF keyring, the certificate is not deleted from RACF. It is only disconnected from the keyring. The certificate can be reconnected through RACF if it is accidentally removed from the keyring. If you want the certificate completely deleted from RACF, it must be removed by the RACF administrator.
- Import and Export of Certificates
- During the import and export of certificates to and from managed SAF keystores, if the certificate already exists in RACF under a different label, then it will be connected to the keyring with the existing label regardless of the label you assign the certificate on the import or export command.
- Renewing Certificates
- Certificates are not physically deleted from RACF. The existing certificate label still exists in RACF and renewing certificates will increment the alias (label) of the certificate by appending _1, _2, etc., to the existing certificate label.