Create the Security Key Lifecycle Manager for z/OS configuration
file in /u/isklmsrv
and customize accordingly for your
installation
- Audit.handler.file.directory
- Modify this parameter to a location where you want the Security Key Lifecycle Manager for z/OS to
store the audit logs.
- Audit.metadata.file.name
- Specify a file name for the metadata XML file.
- config.drivetable.file.url
- Specify a location for information about drives that are known
to the Security Key Lifecycle Manager for z/OS.
This file is not required to exist before starting the Security Key Lifecycle Manager for z/OS server
or Security Key Lifecycle Manager for z/OS Admin console. If it does not exist, it is created
during shutdown of the Security Key Lifecycle Manager for z/OS server
of Security Key Lifecycle Manager for z/OS Admin Console.
- Admin.ssl.keystore.name
- Admin.ssl.truststore.name
- config.keystore.file
- TransportListener.ssl.keystore.name
- TransportListener.ssl.truststore.name
- Specify the path and file name of the keystore created previously.
- requireHardwareProtectionForSymmetricKeys
- This option allows users to define if the data encryption key
used with the JCECCAKS, JCECCA, or JCECCARACFKS keystores are to be
protected by z/OS® cryptographic
hardware. Keys generated and used by the Security Key Lifecycle Manager for z/OS only
appear in host storage. They appear in an encrypted form that is protected
by a hardware resident master key.
- drive.acceptUnknownDrives
- Specify true or false. A value of true allows new tape drives
that contact the Security Key Lifecycle Manager for z/OS to
be automatically added to the device table. The default is false.
If you specify true for this value, set drive.default.alias1 and drive.default.alias2
to the certificate alias and key label that you previously created.
- ds8k.acceptUnknownDrives
- Specify true or false. A value of true allows a new DS8000 that
contacts the Security Key Lifecycle Manager for z/OS to
be automatically added to the device table. The default is false.
The following example illustrates a Security Key Lifecycle Manager for z/OS configuration
file using the JCECCARACFKS customized for a z/OS system that is using shared HFS where systemname
= JA0.
Admin.ssl.keystore.name = safkeyring://ISKLMSRV/KLMRing
Admin.ssl.truststore.name = safkeyring://ISKLMSRV/KLMRing
Audit.event.outcome = success,failure
Audit.event.outcome.do = success,failure
Audit.event.types = all
Audit.event.types.backup = data synchronization, runtime, configuration management,
resource management
Audit.eventQueue.max = 0
Audit.handler.file.directory = /isklmlogs/JA0/audit
Audit.handler.file.name = kms_audit.log
Audit.handler.file.size = 10000
Audit.metadata.file.name = /keylifecyclemanager/metafile.xml
config.drivetable.file.url = FILE:/u/isklmsrv/JA0/filedrive.table
config.keystore.file = safkeyring://ISKLMSRV/ISKLMRing
config.keystore.password = password
config.keystore.provider = IBMJCECCA
config.keystore.type = JCECCARACFKS
debug = none
debug.output = simple_file
debug.output.file = /isklmlogs/JA0/debug
drive.acceptUnknownDrives = true
drive.default.alias1 = ISKLMServer
drive.default.alias2 = ISKLMServer
fips = Off
requireHardwareProtectionForSymmetricKeys = true
TransportListener.ssl.ciphersuites = JSSE_ALL
TransportListener.ssl.clientauthentication = 0
TransportListener.ssl.keystore.name = safkeyring://ISKLMSRV/ISKLMServer
TransportListener.ssl.keystore.password = password
TransportListener.ssl.keystore.type = JCECCARACFKS
TransportListener.ssl.port = 1443
TransportListener.ssl.protocols = SSL_TLS
TransportListener.ssl.truststore.name = safkeyring://ISKLMSRV/ISKLMServer
TransportListener.ssl.truststore.type = JCECCARACFKS
TransportListener.tcp.port = 3801