This is the top-level menu and is displayed when the gskkyman utility
starts:
Figure 1. Database menu Database Menu
1 - Create new database
2 - Open database
3 - Change database password
4 - Change database record length
5 - Delete database
6 - Create key parameter file
7 - Display certificate file (Binary or Base64 ASN.1 DER)
11 - Create new token
12 - Delete token
13 - Manage token
14 - Manage token from list of tokens
0 - Exit program
Enter option number:
- Create new database
This option creates a new key database and the associated request
database. You are prompted to enter the key database name, the database
password, the password expiration interval, and the database record
length and choose either a FIPS or non-FIPS database (see Key database files for a discussion of FIPS mode
databases).
The fully-qualified key database
name must be between 2 and 251 characters. The file can contain an
extension consisting of 1 to 3 characters. The suggested extension
is ".kdb". The maximum database name is 247 characters if the name
does not end with an extension to allow for the addition of an extension
when creating the request database or the password stash file. The
key database name may not end with ".rdb" or ".sth" as these extensions
are reserved for the request and the password stash file.
The
database password must be between 1 and 128 characters. A password
exceeding 128 characters will be truncated to 128 characters.
The
password expiration interval must be between 0 and 9999 days (a value
of 0 indicates that the password does not expire).
The record
length must be large enough to contain the largest certificate to
be stored in the database and must be between 2500 and 65536.
Two
files will be created: the key database and the request database. The
request database has an extension of '.rdb'. The file access
permissions will be set so only the owner has access to the files.
- Open database
This option will open an existing database. You will be prompted
to enter the key database name and the database password.
The
fully-qualified key database name must be between 2 and 251 characters
and should either have no extension or an extension of '.kdb' (the
maximum database name is 247 characters if the name does not end with
an extension of 1-3 characters to allow for the addition of an extension
when accessing the request database or the password stash file).
The key database name may not end with '.rdb' or '.sth' as these
extensions are reserved for the request database and the password
stash file.
- Change database password
This option will change the database password. You can change
the password at any time but you must change it once it has expired
in order to access the database once more. You will be prompted to
enter the key database name, the current database password, the new
database password, and the new password expiration interval.
The
new database password must be between 1 and 128 characters.
The
password expiration interval must be between 0 and 9999 days (a value
of 0 indicates that the password does not expire).
- Change database record length
This option will change the database record length. All database
records have the same length and database entries cannot span records.
You can increase the record length if you find it is too small to
store a new certificate. You can decrease the record length to reduce
the database size if the original record length is too large. You
cannot reduce the record length to a value smaller than the largest
certificate currently in the database. You will be prompted to enter
the key database name, the database password, and the new record length.
The
new record length must be between 2500 and 65536.
- Delete database
This option will delete the key database, the associated request
database, and the database password stash file. You will be prompted
to enter the key database name.
- Create key parameter file
- This option will create a file containing a set of key generation
parameters. Key generation parameters are used when generating Digital
Signature Standard (DSS) and Diffie-Hellman (DH) keys. The parameters
will be stored in the specified file as an ASN.1-encoded sequence
in Base64 format. This file can then be used when creating a signed
certificate. The same key generation parameters can be used to generate
multiple public/private key pairs. Using the same key generation parameters
significantly reduces the time required to generate a public/private
key pair. In addition, the Diffie-Hellman key agreement method requires
both sides to use the same group parameters in order to compute the
key exchange value. See FIPS
186-3: Digital Signature Standard (DSS) and RFC 2631: Diffie-Hellman
Key Agreement Method for more information about the key
generation parameters. The key parameter generation process can take
from 1 to 10 minutes depending upon key size, processor speed, and
system load.
- Display certificate file (Binary or Base64 ASN.1 DER)
- This option displays information about an X.509 certificate file.
You will be prompted to enter the certificate file name. The fully-qualified
certificate file name must be between 2 and 251 characters. The specified
file must contain either a binary ASN.1 DER-encoded certificate or
the Base64-encoding of a binary ASN.1 stream. A Base64-encoded certificate
must be in the local code page.
Note: Information retrieved for z/OS® PKCS
#11 tokens is not cached. Each time a menu is displayed, the information
is retrieved from the ICSF TKDS (token key dataspace). This is also
true when displaying the list of available z/OS PKCS #11 tokens. On return from displaying
a subordinate menu, the current list of tokens is retrieved and the
menu refreshed.
- Create new token
This option will create a new token. You will be prompted to
enter the token name.
The name must be a unique non-empty string
and consist of characters that are alphanumeric, national (@ -x5B,
# -x7B, $ -x7C) and period (x4B).
The name is specified in
the local code page.
The first character must be alphabetic
or national. Lowercase letters are permitted but will be folded to
uppercase.
Once the token is created the Database menu
is displayed.
- Delete token
This option will delete the key token. You will be prompted
to enter the token name. If the token exists, the user is prompted
again to re-enter the full token name as confirmation before deletion
of the specified token.
Note: If name consists of lowercase characters
it will be uppercased when processed.
- Manage token
- This option manages the token. You will be prompted to enter the
token name. The token that matches the entered name is then used in
the Token Management Menu that is subsequently displayed.
Note: If
name consists of lowercase characters it will be uppercased when processed.
- Manage token from list of tokens
- This option displays a list of existing tokens by name from which
an entry can be chosen for use in the Token Management Menu that is
subsequently displayed.
Note: If name consists of lowercase characters
it will be uppercased when processed.