Obtaining Digital Certificates

Before starting your Security Key Lifecycle Manager for z/OS, you must have at least one X.509 digital certificate (contains a public and private key pair). The digital certificate is to protect the data encryption key that the Security Key Lifecycle Manager for z/OS creates when encrypting data to tape. The use of certificates, their public key, and the corresponding private key is explained in Importance of keys and certificates. The Security Key Lifecycle Manager for z/OS allows for two digital certificate aliases to be defined per write request. One of the two aliases/labels specified must have a private key in the keystore of Security Key Lifecycle Manager for z/OS when the tape is created. This guarantees that the creator of the tape can read the tape. The other label/alias can be a public key from a business partner which they can decrypt with their private key. In order to read an encrypted tape, the correct private key is needed.

There are two methods of setting up digital certificates:

Creating your own public and private key pair and corresponding certificate. Those keys and certificates are used to write/encrypt to tape so that you can read/decrypt the tape at a later date.
Obtaining the public key of a business partner and corresponding certificate. Those keys and certificates are used to write/encrypt tapes that can be read/decrypted by your business partner.

Note: The Security Key Lifecycle Manager for z/OS does not read certificates with NO-TRUST status. To verify the status with RACF®, issue a RACDCERT LIST command to display the certificate. This pertains to ACF2 and other security products as well. This is only applicable to JCERACFKS and JCECCARACFKS.