z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Key database files

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

To use a key database in FIPS mode, it must be created as a FIPS mode database. Key databases that are created through gskkyman not explicitly specifying FIPS during creation, or created through an application not executing in FIPS mode, cannot be used by an application executing in FIPS mode. To create a FIPS mode key database using the gskkyman utility, see Creating, opening, and deleting a key database file. To create a FIPS mode key database using the Certificate Management Services API, the application must start in FIPS mode (see gsk_fips_state_set()).

The following are key points when using FIPS key databases:
  • Only certificates that meet the requirements for FIPS (see Table 1) can be added to a FIPS key database.
  • A FIPS key database may only be modified if executing in FIPS mode. When opening an existing FIPS key database, the gskkyman utility ensures that it is executing in FIPS mode. If an application modifies the key database by using the Certificate Management Services (CMS) APIs, then it too must ensure that it is executing in FIPS mode.
  • A FIPS key database can be used in non-FIPS mode if it is opened for read only.
  • A non-FIPS key database cannot be opened while executing in FIPS mode.

The gskkyman utility automatically detects when a FIPS mode key database is opened, and executes in FIPS mode. This ensures that only certificates or certificate requests that meet the FIPS mode requirements in Table 1 may be added to the key database.

Parent topic: SAF key rings and PKCS #11 tokens

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014