z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Database menu

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

This is the top-level menu and is displayed when the gskkyman utility starts:

Figure 1. Database menu
       Database Menu                                                    
                                                                        
   1 - Create new database                                              
   2 - Open database                                                    
   3 - Change database password                                         
   4 - Change database record length                                    
   5 - Delete database                                                  
   6 - Create key parameter file
   7 - Display certificate file (Binary or Base64 ASN.1 DER)

  11 - Create new token 
  12 - Delete token
  13 - Manage token
  14 - Manage token from list of tokens                                 

   0 - Exit program 

Enter option number:
Create new database

This option creates a new key database and the associated request database. You are prompted to enter the key database name, the database password, the password expiration interval, and the database record length and choose either a FIPS or non-FIPS database (see Key database files for a discussion of FIPS mode databases).

The fully-qualified key database name must be between 2 and 251 characters. The file can contain an extension consisting of 1 to 3 characters. The suggested extension is ".kdb". The maximum database name is 247 characters if the name does not end with an extension to allow for the addition of an extension when creating the request database or the password stash file. The key database name may not end with ".rdb" or ".sth" as these extensions are reserved for the request and the password stash file.

The database password must be between 1 and 128 characters. A password exceeding 128 characters will be truncated to 128 characters.

The password expiration interval must be between 0 and 9999 days (a value of 0 indicates that the password does not expire).

The record length must be large enough to contain the largest certificate to be stored in the database and must be between 2500 and 65536.

Two files will be created: the key database and the request database. The request database has an extension of '.rdb'. The file access permissions will be set so only the owner has access to the files.

Open database

This option will open an existing database. You will be prompted to enter the key database name and the database password.

The fully-qualified key database name must be between 2 and 251 characters and should either have no extension or an extension of '.kdb' (the maximum database name is 247 characters if the name does not end with an extension of 1-3 characters to allow for the addition of an extension when accessing the request database or the password stash file). The key database name may not end with '.rdb' or '.sth' as these extensions are reserved for the request database and the password stash file.

Change database password

This option will change the database password. You can change the password at any time but you must change it once it has expired in order to access the database once more. You will be prompted to enter the key database name, the current database password, the new database password, and the new password expiration interval.

The new database password must be between 1 and 128 characters.

The password expiration interval must be between 0 and 9999 days (a value of 0 indicates that the password does not expire).

Change database record length

This option will change the database record length. All database records have the same length and database entries cannot span records. You can increase the record length if you find it is too small to store a new certificate. You can decrease the record length to reduce the database size if the original record length is too large. You cannot reduce the record length to a value smaller than the largest certificate currently in the database. You will be prompted to enter the key database name, the database password, and the new record length.

The new record length must be between 2500 and 65536.

Delete database

This option will delete the key database, the associated request database, and the database password stash file. You will be prompted to enter the key database name.

Create key parameter file
This option will create a file containing a set of key generation parameters. Key generation parameters are used when generating Digital Signature Standard (DSS) and Diffie-Hellman (DH) keys. The parameters will be stored in the specified file as an ASN.1-encoded sequence in Base64 format. This file can then be used when creating a signed certificate. The same key generation parameters can be used to generate multiple public/private key pairs. Using the same key generation parameters significantly reduces the time required to generate a public/private key pair. In addition, the Diffie-Hellman key agreement method requires both sides to use the same group parameters in order to compute the key exchange value. See FIPS 186-3: Digital Signature Standard (DSS) and RFC 2631: Diffie-Hellman Key Agreement Method for more information about the key generation parameters. The key parameter generation process can take from 1 to 10 minutes depending upon key size, processor speed, and system load.
Display certificate file (Binary or Base64 ASN.1 DER)
This option displays information about an X.509 certificate file. You will be prompted to enter the certificate file name. The fully-qualified certificate file name must be between 2 and 251 characters. The specified file must contain either a binary ASN.1 DER-encoded certificate or the Base64-encoding of a binary ASN.1 stream. A Base64-encoded certificate must be in the local code page.
Note: Information retrieved for z/OS® PKCS #11 tokens is not cached. Each time a menu is displayed, the information is retrieved from the ICSF TKDS (token key dataspace). This is also true when displaying the list of available z/OS PKCS #11 tokens. On return from displaying a subordinate menu, the current list of tokens is retrieved and the menu refreshed.
Create new token

This option will create a new token. You will be prompted to enter the token name.

The name must be a unique non-empty string and consist of characters that are alphanumeric, national (@ -x5B, # -x7B, $ -x7C) and period (x4B).

The name is specified in the local code page.

The first character must be alphabetic or national. Lowercase letters are permitted but will be folded to uppercase.

Once the token is created the Database menu is displayed.

Delete token
This option will delete the key token. You will be prompted to enter the token name. If the token exists, the user is prompted again to re-enter the full token name as confirmation before deletion of the specified token.
Note: If name consists of lowercase characters it will be uppercased when processed.
Manage token
This option manages the token. You will be prompted to enter the token name. The token that matches the entered name is then used in the Token Management Menu that is subsequently displayed.
Note: If name consists of lowercase characters it will be uppercased when processed.
Manage token from list of tokens
This option displays a list of existing tokens by name from which an entry can be chosen for use in the Token Management Menu that is subsequently displayed.
Note: If name consists of lowercase characters it will be uppercased when processed.
Parent topic: gskkyman interactive mode descriptions

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014