115 lines
7.7 KiB
HTML
115 lines
7.7 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Certificate stores" />
|
||
|
<meta name="abstract" content="A certificate store is a special key database file that Digital Certificate Manager (DCM) uses to store digital certificates." />
|
||
|
<meta name="description" content="A certificate store is a special key database file that Digital Certificate Manager (DCM) uses to store digital certificates." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4abunderstanddc.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahutypesofcerts.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzahu1nm-cert_store" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Certificate stores</title>
|
||
|
</head>
|
||
|
<body id="rzahu1nm-cert_store"><a name="rzahu1nm-cert_store"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Certificate stores</h1>
|
||
|
<div><p>A certificate store is a special key database file that Digital
|
||
|
Certificate Manager (DCM) uses to store digital certificates. </p>
|
||
|
<p>The certificate store contains the certificate's private key
|
||
|
unless you choose to use an IBM<sup>®</sup> Cryptographic Coprocessor to store the key instead.
|
||
|
DCM allows you to create and manage several types of certificate stores. DCM
|
||
|
controls access to certificate stores through passwords in conjunction with
|
||
|
access control of the integrated file system directory and the files that
|
||
|
constitute the certificate store.</p>
|
||
|
<p>Certificate stores are classified based on the types of certificates that
|
||
|
they contain. The management tasks that you can perform for each certificate
|
||
|
store vary based on the type of certificate that the certificate store contains.
|
||
|
DCM provides the following predefined certificate stores that you can create
|
||
|
and manage: </p>
|
||
|
<dl><dt class="dlterm">Local Certificate Authority (CA)</dt>
|
||
|
<dd> DCM uses this certificate store to store the Local CA certificate and
|
||
|
its private key if you create a Local CA. You can use the certificate in this
|
||
|
certificate store to sign certificates that you use the Local CA to issue.
|
||
|
When the Local CA issues a certificate, DCM puts a copy of the CA certificate
|
||
|
(without the private key) in the appropriate certificate store (for example,
|
||
|
*SYSTEM) for authentication purposes. Applications use CA certificates to
|
||
|
verify the origination of certificates that they must validate as part of
|
||
|
the SSL negotiation to grant authorization to resources. </dd>
|
||
|
<dt class="dlterm">*SYSTEM</dt>
|
||
|
<dd>DCM provides this certificate store for managing server or client certificates
|
||
|
that applications use to participate in Secure Sockets Layer (SSL) communications
|
||
|
sessions. IBM <span class="keyword">iSeries™</span> applications (and many other
|
||
|
software developers' applications) are written to use certificates in the
|
||
|
*SYSTEM certificate store only. When you use DCM to create a Local CA, DCM
|
||
|
creates this certificate store as part of the process. When you choose to
|
||
|
obtain certificates from a public CA, such as VeriSign, for your server or
|
||
|
client applications to use, you must create this certificate store.</dd>
|
||
|
<dt class="dlterm">*OBJECTSIGNING</dt>
|
||
|
<dd>DCM provides this certificate store for managing certificates that you
|
||
|
use to digitally sign objects. Also, the tasks in this certificate store allow
|
||
|
you to create digital signatures on objects, as well as view and verify signatures
|
||
|
on objects. When you use DCM to create a Local CA, DCM creates this certificate
|
||
|
store as part of the process. When you choose to obtain certificates from
|
||
|
a public CA, such as VeriSign, for signing objects, you must create this certificate
|
||
|
store. </dd>
|
||
|
<dt class="dlterm">*SIGNATUREVERIFICATION</dt>
|
||
|
<dd>DCM provides this certificate store for managing certificates that you
|
||
|
use to verify the authenticity of digital signatures on objects. To verify
|
||
|
a digital signature, this certificate store must contain a copy of the certificate
|
||
|
that signed the object. The certificate store must also contain a copy of
|
||
|
the CA certificate for the CA that issued the object signing certificate.
|
||
|
You obtain these certificate either by exporting object signing certificates
|
||
|
on the current system into the store or by importing certificates that you
|
||
|
receive from the object signer.</dd>
|
||
|
<dt class="dlterm">Other System Certificate Store</dt>
|
||
|
<dd>This certificate store provides an alternate storage location for server
|
||
|
or client certificates that you use for SSL sessions. Other System Certificate
|
||
|
Stores are user-defined secondary certificate stores for SSL certificates.
|
||
|
The Other System Certificate Store option allows you to manage certificates
|
||
|
for applications that you or others write that use the SSL_Init API to programmatically
|
||
|
access and use a certificate to establish an SSL session. This API allows
|
||
|
an application to use the default certificate for a certificate store rather
|
||
|
than a certificate that you specifically identify. Most commonly, you use
|
||
|
this certificate store when migrating certificates from a prior release of
|
||
|
DCM, or to create a special subset of certificates for SSL use. </dd>
|
||
|
</dl>
|
||
|
<div class="p"><div class="note"><span class="notetitle">Note:</span> If you have an IBM Cryptographic Coprocessor installed on your system,
|
||
|
you can choose other private key storage options for your certificates (with
|
||
|
the exception of object signing certificates). You can elect to store the
|
||
|
private key on the coprocessor itself or use the coprocessor to encrypt the
|
||
|
private key and store it in a special key file instead of in a certificate
|
||
|
store. </div>
|
||
|
</div>
|
||
|
<p>DCM controls access to certificate stores through passwords. DCM also maintains
|
||
|
access control of the integrated file system directory and the files that
|
||
|
constitute the certificate stores. The Local Certificate Authority (CA), *SYSTEM,
|
||
|
*OBJECTSIGNING, and *SIGNATUREVERIFICATION certificate stores must be located
|
||
|
in the specific paths within the integrated file system, Other System Certificate
|
||
|
stores can be located anywhere in the integrated file system.</p>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4abunderstanddc.htm" title="View this information to better understand what digital certificates are and how they work. Learn about the different types of certificates and how you can use them as part of your security policy.">DCM concepts</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzahutypesofcerts.htm" title="Use this information to learn about the different types of digital certificates and how they are used in the Digital Certificate Manager (DCM).">Types of digital certificates</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|