Use of SAF key rings

IBM® MQ Advanced Message Security makes use of existing SAF key ring services to define and manage the certificates needed for signing and encryption. Security products that are functionally equivalent to RACF® may be used instead of RACF if they provide the same level of support.

Efficient use of key rings can reduce the administration needed to manage the certificates.

After a certificate is generated (or imported), it must be connected to a key ring to become accessible. The same certificate can be connected to more than one key ring.

IBM MQ Advanced Message Security uses two sets of key rings. One set consists of key rings owned by the individual user IDs that originate or receive messages. Each key ring contains the private key associated with the certificate of the owning user ID. The private key of each certificate is used to sign messages for integrity-protected or privacy-protected queues. It is also used to decrypt messages from privacy-protected queues when receiving messages.

The other set is actually a single key ring associated with the AMS address space. For integrity or privacy protection, it contains the chain of signing CA certificates necessary to validate the signature and message-signing certificate of the message originator.

When privacy protection is used, this key ring also contains the certificates of the message recipients. The public keys in these certificates are used to encrypt the symmetric key that was used to encrypt the message data when the message was put to the protected queue. When these messages are retrieved, the private key of relevant recipients is used to decrypt the symmetric key which is then used to decrypt the message data.

IBM MQ Advanced Message Security uses a key ring name of drq.ams.keyring when searching for certificates and private keys. This is the case for both the user and the AMS address space key rings.

For an illustration and further explanation of certificates and key ring, and their role in data protection, refer to Summary of the certificate-related operations.

The private key used for signing and decryption can have any label but must be connected as the default certificate.

Digital certificates and key rings are managed in RACF primarily by using the RACDCERT command.

For more information about certificates, labels, and the RACDCERT command, see z/OS®: Security Server RACF Command Language Reference and z/OS: Security Server RACF Security Administrator's Guide.