Installing the Security Key Lifecycle Manager for z/OS and Keystores

Icon: Install This topic gives you instructions on how to set up your z/OS® environment to run the Security Key Lifecycle Manager for z/OS.

Install the Security Key Lifecycle Manager for z/OS as instructed in the Program Directory document. See, Program Directory for IBM Security Key Lifecycle Manager for z/OS.

The Security Key Lifecycle Manager for z/OS requires the IBM® Java Software Developer Kit 5.0 or 6.0. See Hardware and Software Requirements. This topic was explained briefly in Planning your Security Key Lifecycle Manager for z/OS Environment. There are many possible ways you can set up your Security Key Lifecycle Manager for z/OS. This section shows you how to setup keys for the four possible keystore types:

JCEKS
JCECCAKS
JCERACFKS
JCECCARACFKS

For JCECCARACFKS and JCERACFKS type keystores, it is highly encouraged that you do not use the same character alias or label names that differ only by case for example, MyKey and mykey. A search mismatch can occur when storing or retrieving information from a JCECCARACFKS and JCERACFKS keystore when using same character label or alias names differing only by case.

This topic also shows you how to run the Security Key Lifecycle Manager for z/OS in production mode.

Attention: The Security Key Lifecycle Manager for z/OS performs the function of requesting the generation of encryption keys. The product then passes those keys to the TS1120, TS1130, TS1140, LTO Ultrium 4, or LTO Ultrium 5 tape drives, and DS8000. The key material, in wrapped (encrypted) form resides in system memory during processing by the Security Key Lifecycle Manager for z/OS. The key material must be transferred without error to the appropriate tape drive so that data can be recovered (decrypted). If a corrupted key material is used to write data to a cartridge, then the data written to that cartridge cannot be recovered. There are safeguards to make sure that such data errors do not occur. If the machine hosting the Security Key Lifecycle Manager for z/OS is not using Error Correction Code (ECC) memory, the key material can become corrupted while in system memory. The corruption can then cause data loss. The chance of this occurrence is small, but for best practices use ECC memory for machines hosting critical applications.