To create a new key database, enter 1 at the command prompt
on the Database Menu:
Figure 1. Creating a New Key
Database Database Menu
1 - Create new database
2 - Open database
3 - Change database password
4 - Change database record length
5 - Delete database
6 - Create key parameter file
7 - Display certificate file (Binary or Base64 ASN.1 DER)
11 - Create new token
12 - Delete token
13 - Manage token
14 - Manage token from list of tokens
0 - Exit program
Enter option number: 1 <enter>
Enter key database name (press ENTER to return to menu): mykey.kdb <enter>
Enter database password (press ENTER to return to menu): <enter password>
Re-enter database password: <enter password>
Enter password expiration in days (press ENTER for no expiration): 35 <enter>
Enter database record length (press ENTER to use 5000): <enter>
Enter 1 for FIPS mode database or 0 to continue: 0 <enter>
Key database /home/sufwl1/ssl_cmd/mykey.kdb created.
Press ENTER to continue.
===>
Figure 1 shows the
input prompts that gskkyman produces when you choose 1 to
create a new key database. As you can see, default choices are listed
in parentheses. In the example, by pressing the Enter key at the Enter
database record length prompt, the default of 5000 was
chosen.
Note: - When dealing with certificates which may be large or have large
key sizes, for example 2048 or 4096, an initial key record length
of 5000 may be required.
- The maximum length of the password specified for a key database
file is 128 characters.
- When creating a new key database file, you will be prompted whether
you want a FIPS or non-FIPS database file created. For more information
about FIPS mode databases, see Key database files.
After entering the database record length, a message displays confirming
that your database was created (see Figure 1). You are prompted
to press Enter to continue. Doing so displays the Key Management
Menu for the database you have created:
Figure 2. Key Management Menu
for gskkyman
Key Management Menu
Database: /home/sufwl1/ssl_cmd/mykey.kdb
Expiration Date: 2025/12/02 10:11:12
1 - Manage keys and certificates
2 - Manage certificates
3 - Manage certificate requests
4 - Create new certificate request
5 - Receive requested certificate or a renewal certificate
6 - Create a self-signed certificate
7 - Import a certificate
8 - Import a certificate and a private key
9 - Show the default key
10 - Store database password
11 - Show database record length
0 - Exit program
Enter option number (press ENTER to return to previous menu):
===>
Figure 2 shows the Key
Management Menu. Entering 0 at this prompt exits the gskkyman program.
Pressing Enter at the prompt returns you to the Database Menu.
To open an existing key database file, on the Database Menu,
enter option number 2 (see Figure 3). You are then prompted
for the key database name and password.
Note: Do not lose the key database password. There is no method to
reset this password if you lose or forget the password. If the password
is lost, the private keys stored in the key database are inaccessible,
therefore, unusable.
Figure 3. Opening an Existing
Key Database File Database Menu
1 - Create new database
2 - Open database
3 - Change database password
4 - Change database record length
5 - Delete database
6 - Create key parameter file
7 - Display certificate file (Binary or Base64 ASN.1 DER)
11 - Create new token
12 - Delete token
13 - Manage token
14 - Manage token from list of tokens
0 - Exit program
Enter option number: 2 <enter>
Enter key database name (press ENTER to return to menu): mykey.kdb <enter>
Enter database password (press ENTER to return to menu): <enter password>
===>
The key database name is the file name of the key database. The
input file name is interpreted relative to the current directory when gskkyman is
invoked. You may also specify a fully qualified key database name.
After you enter the key database name and password, the Key
Management Menu displays for the database you have selected to
open, (see Figure 4).
Figure 4. Key Management Menu
Key Management Menu
Database: /home/sufwl1/ssl_cmd/mykey.kdb
Expiration Date: 2025/12/02 10:11:12
1 - Manage keys and certificates
2 - Manage certificates
3 - Manage certificate requests
4 - Create new certificate request
5 - Receive requested certificate or a renewal certificate
6 - Create a self-signed certificate
7 - Import a certificate
8 - Import a certificate and a private key
9 - Show the default key
10 - Store database password
11 - Show database record length
0 - Exit program
Enter option number (press ENTER to return to previous menu):
===>
To delete an existing database, from the Database Menu,
select option 5 (see Figure 5):
Figure 5. Deleting an Existing
Key Database
Database Menu
1 - Create new database
2 - Open database
3 - Change database password
4 - Change database record length
5 - Delete database
6 - Create key parameter file
7 - Display certificate file (Binary or Base64 ASN.1 DER)
11 - Create new token
12 - Delete token
13 - Manage token
14 - Manage token from list of tokens
0 - Exit program
Enter option number: 5 <enter>
Enter key database name (press ENTER to return to menu): mykey.kdb <enter>
Enter 1 to confirm delete, 0 to cancel delete: 1 <enter>
Key database /home/sufwl1/ssl_cmd/mykey.kdb deleted.
Press ENTER to continue.
===>
You are prompted to enter the key database name that you want to
delete. Then you must enter 1 to confirm the delete, or 0 to
cancel the delete. If you choose 1, a message displays to
confirm the file has been deleted.
Note: If you delete an existing key database, the associated request
database and database password stash file (if existent) is also deleted.
It's important to note that anyone with write access to a key database
can delete that database either by removing it with the rm command
or by using gskkyman subcommand.
z/OS Cryptographic Services System SSL Programming
Copyright IBM Corporation 1990, 2014