To create a new z/OS® PKCS
#11 token, enter 11 at the command prompt on the Database
Menu:
Figure 1. Creating a New z/OS PKCS #11 Token Database Menu
1 - Create new database
2 - Open database
3 - Change database password
4 - Change database record length
5 - Delete database
6 - Create key parameter file
7 - Display certificate file (Binary or Base64 ASN.1 DER)
11 - Create new token
12 - Delete token
13 - Manage token
14 - Manage token from list of tokens
0 - Exit program
Enter option number: 11 <enter>
Enter token name (press ENTER to return to menu): TOKEN1 <enter>
Token successfully created
Press ENTER to continue.
The only input required when creating a new z/OS PKCS #11 token is the token name.
Note: Only users with SAF access level of UPDATE or CONTROL to the
CRYPTOZ resource "so.tokenname" have the authority to create the z/OS PKCS #11 token with the name
"tokenname".
Note: A z/OS PKCS #11 token
contains no certificates or keys when first created.
After entering the token name, a message displays confirming that
the z/OS PKCS #11 token was
created (see Figure 1). You are prompted
to press Enter to continue. Doing so redisplays the Database Menu.
To open an existing z/OS PKCS
#11 token, enter either option 13 or option 14 on the Database
Menu. If option 13 is used:
Figure 2. Opening a z/OS PKCS #11 Token from token name Database Menu
1 - Create new database
2 - Open database
3 - Change database password
4 - Change database record length
5 - Delete database
6 - Create key parameter file
7 - Display certificate file (Binary or Base64 ASN.1 DER)
11 - Create new token
12 - Delete token
13 - Manage token
14 - Manage token from list of tokens
0 - Exit program
Enter option number: 13 <enter>
Enter token name (press ENTER to return to menu): TOKEN1 <enter>
If option 14 is used:
Figure 3. Opening a z/OS PKCS #11 Token from token list Database Menu
1 - Create new database
2 - Open database
3 - Change database password
4 - Change database record length
5 - Delete database
6 - Create key parameter file
7 - Display certificate file (Binary or Base64 ASN.1 DER)
11 - Create new token
12 - Delete token
13 - Manage token
14 - Manage token from list of tokens
0 - Exit program
Enter option number: 14 <enter>
Token List
1 - TOKEN1
0 - Return to selection menu
Enter list-entry number (press ENTER to return to previous menu): 1 <enter>
After either entering the token name (if option 13 used)
or selecting the token from a list of tokens (if option 14 is
used), the Token Management Menu displays the z/OS PKCS #11 token selected
Figure 4. Token Management Menu
Token Management Menu
Token: TOKEN1
Manufacturer: z/OS PKCS11 API
Model: HCR77A0
Flags: 0x00000509 (INITIALIZED,PROT AUTH PATH,USER PIN INIT,RNG)
1 - Manage keys and certificates
2 - Manage certificates
3 - Manage certificate requests
4 - Create new certificate request
5 - Receive requested certificate or a renewal certificate
6 - Create a self-signed certificate
7 - Import a certificate
8 - Import a certificate and a private key
9 - Show the default key
10 - Delete token
0 - Exit program
Enter option number (press ENTER to return to previous menu):
===>
Note: Only users with SAF access level of READ, UPDATE, or CONTROL
to the CRYPTOZ resource "so.tokenname" or "user.token.name" have the
authority to open the z/OS PKCS
#11 token with the name "tokenname".
To delete an existing z/OS PKCS
#11 token, enter either option 12 on the Database Menu,
or select option 10 from the Token Management Menu.
If option 12 on the Database Menu is used:
Figure 5. Deleting an existing z/OS PKCS #11 Token Database Menu
1 - Create new database
2 - Open database
3 - Change database password
4 - Change database record length
5 - Delete database
6 - Create key parameter file
7 - Display certificate file (Binary or Base64 ASN.1 DER)
11 - Create new token
12 - Delete token
13 - Manage token
14 - Manage token from list of tokens
0 - Exit program
Enter option number:12 <enter>
Enter token name (press ENTER to return to menu):TOKEN1 <enter>
To confirm token delete, enter token name again (press ENTER to cancel delete):TOKEN1 <enter>
Token successfully deleted
Press ENTER to continue.
===>
If option 10 on the Token Management Menu is used:
Figure 6. Deleting an existing z/OS PKCS #11 Token
Token Management Menu
Token: TOKEN1
Manufacturer: z/OS PKCS11 API
Model: HCR77A0
Flags: 0x00000509 (INITIALIZED, PROT AUTH PATH, USER PIN INIT, RNG)
1 - Manage keys and certificates
2 - Manage certificates
3 - Manage certificate requests
4 - Create new certificate request
5 - Receive requested certificate or a renewal certificate
6 - Create a self-signed certificate
7 - Import a certificate
8 - Import a certificate and a private key
9 - Show the default key
10 - Delete token
0 - Exit program
Enter option number (press ENTER to return to previous menu): 10 <enter>
To confirm token delete, enter token name again (press ENTER to cancel delete): TOKEN1 <enter>
Token successfully deleted
Press ENTER to continue.
===>
Using either approach you are prompted to enter the token name
in order to confirm the correct token is deleted. A message is displayed
to confirm that the z/OS PKCS
#11 token has been deleted. The token does not have to be empty before
performing the delete.
Note: Only users with SAF access level of UPDATE or CONTROL to the
CRYPTOZ resource "so.tokenname" have the authority to delete the z/OS PKCS #11 token with the name
"tokenname".
z/OS Cryptographic Services System SSL Programming
Copyright IBM Corporation 1990, 2014