SSL connections use public/private key mechanisms for authenticating each side of the SSL session and agreeing on bulk encryption keys to be used for the SSL session. To use public/private key mechanisms (termed PKI), public/private key pairs must be generated. In addition, X.509 certificates (which contain public keys) might need to be created, or certificates must be requested, received, and managed.

System SSL supports these two methods for managing PKI private keys and certificates:

• A z/OS® shell-based program called gskkyman. gskkyman creates, completes, and manages either a z/OS file or z/OS PKCS #11 token that contains PKI private keys, certificate requests, and certificates. The z/OS file is called a key database and, by convention, has a file extension of .kdb.
• The z/OS Security Server (RACF®) RACDCERT command. RACDCERT installs and maintains PKI private keys and certificates in RACF. See z/OS Security Server RACF Command Language Reference for details about the RACDCERT command. RACF supports multiple PKI private keys and certificates to be managed as a group. These groups are called key rings or z/OS PKCS #11 tokens.
• RACF key rings or z/OS PKCS #11 tokens are the preferred method for managing PKI private keys and certificates for System SSL.

The System SSL application uses the GSK_KEYRING_FILE parameter of the gsk_attribute_set_buffer() API or the GSK_KEYRING_FILE environment variable to specify the locations of the PKI private keys and certificates to System SSL. If you are using a z/OS key database, the key database file name is passed in this parameter. If you are using a RACF key ring or z/OS PKCS #11 token, the name of the key ring or token is passed in this parameter.