z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Deciding the value of key_type

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Use the following decision table to determine the value of key_type in Table 1. The key_type variable determines whether you are using RSA, ICSF, PCICC, DSA, or ECC for private key protection.

By default, IKYSETUP does not use ICSF.
Guideline: Do not change the default the first time you run IKYSETUP but change it before going into a production environment. (For information about installing and configuring ICSF, see Installing and configuring ICSF (optional).)
Table 1. Decision table for key_type
If … Then Notes
You want to use software cryptography and you want a key generated using the RSA algorithm … Do not change the default key_type=0
You want to use ICSF for private key protection but do not want the key generated by the PCI cryptographic coprocessor (PCICC) … Set key_type=1 Review and possibly change the following additional variables in Table 1:
  • csfkeys_profile
  • csfserv_profile
  • csfusers_grp
You want to use ICSF for private key protection and you want the key generated by PCICC … Set key_type=2 PKI Services does not automatically back up the private key when you select the 2 value.
Review and possibly change the following additional variables in Table 1:
  • csfkeys_profile
  • csfserv_profile
  • csfusers_grp
You want to use software cryptography and you want a key generated using the DSA algorithm … Set key_type=3 The key cannot be saved in ICSF.
You want to use software cryptography and you want a key generated using the NIST ECC algorithm … Set key_type=4 The key cannot be saved in ICSF.
You want to use software cryptography and you want a key generated using the Brainpool (BP) ECC algorithm … Set key_type=5 The key cannot be saved in ICSF.
You want to use ICSF for private key protection and you want a key generated using the NIST ECC algorithm by the Crypto Express® 3 cryptographic coprocessor … Set key_type=6 Review and possibly change the following additional variables in Table 1:
  • csfkeys_profile
  • csfserv_profile
  • csfusers_grp
PKI Services does not automatically back up the private key.
You want to use ICSF for private key protection and you want a key generated using the Brainpool (BP) ECC algorithm by the Crypto Express 3 cryptographic coprocessor … Set key_type=7 Review and possibly change the following additional variables in Table 1:
  • csfkeys_profile
  • csfserv_profile
  • csfusers_grp
PKI Services does not automatically back up the private key.
You want PKI Services to generate a secure RSA key in the TKDS. Set key_type=8 The key is stored in the token daemon.CATOKEN. For example, PKISRVD.CATOKEN.
You want PKI Services to generate a secure NIST ECC key in the TKDS. Set key_type=9 The key is stored in the token daemon.CATOKEN. For example, PKISRVD.CATOKEN.
You want PKI Services to generate a secure Brainpool ECC key in the TKDS. Set key_type=10 The key is stored in the token daemon.CATOKEN. For example, PKISRVD.CATOKEN.
Parent topic: Variables whose values might change depending on setup

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014