Cryptographic services key management

Cryptographic services key management for the IBM® i operating system allows you to store and manage master keys and keystores. Since you are exchanging sensitive data to manage master keys and keystores, it is recommended that you use a secure session.

Cryptographic Services supports a hierarchical key system. At the top of the hierarchy is a set of master keys. These keys are the only key values stored in the clear (unencrypted). Cryptographic services securely stores the master keys within the IBM i Licensed Internal Code (LIC).

Eight general-purpose master keys are used to encrypt other keys which can be stored in keystore files. Keystore files are database files. Any type of key supported by cryptographic services can be stored in a keystore file, for example AES, RC2, RSA, SHA1-HMAC.

In addition to the eight general-purpose master keys, cryptographic services supports two special-purpose master keys. The ASP master key is used for protecting data in the Independent Auxiliary Storage Pool (in the Disk Management GUI is known as an Independent Disk Pool). The save/restore master key is used to encrypt the other master keys when they are saved to media using a Save System (SAVSYS) operation.

You can work with Cryptographic services key management using the IBM Navigator for i interface. You can access IBM Navigator for i by visiting the following URL from a Web browser where hostA is your System i® name:

• http://hostA:2001

After you connect to IBM Navigator for i, click i5/OS Management and then click Security > Cryptographic Services Key Management. You can, thereafter, work with managing master keys and cryptographic keystore files.

You can also use the cryptographic services APIs or the control language (CL) commands to work with the master keys and keystore files.