z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Key database files

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Key database files are password protected because they contain the private keys that are associated with some of the certificates that are contained in the key database. Private keys, as their name implies, should be protected because their value is used in verifying the authenticity of requests made during PKI operations.

It is suggested that key database files be set with these string file permissions: 
-rw------- (600)   (read-write for only the owner of the key database)
The owner of the key database should be the user managing the key database. The program using System SSL (and the key database) must have at least read permission to the key database file at run time. If the program is a server program that runs under a different user ID than the administrator of the key database file, you should set up a group to control access to the key database file. In this case, it is suggested that you set the permissions on the key database file to: 
-rw-r---- (640)   (read-write for owner and read-only for group)

The owner of the key database file is set to the administrator user ID and the group owner of the key database file is set to the group that contains the server that is using the key database file.

A key database that is created as a FIPS mode database, can only be updated by gskkyman or by using the CMS APIs executing in FIPS mode. Such a database, however, may be opened as read-only when executing in non-FIPS mode. Key databases created while in non-FIPS mode cannot be opened when executing in FIPS mode.

Parent topic: Certificate/Key management

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014