ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahu1nmcertstore.htm

115 lines
7.7 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Certificate stores" />
<meta name="abstract" content="A certificate store is a special key database file that Digital Certificate Manager (DCM) uses to store digital certificates." />
<meta name="description" content="A certificate store is a special key database file that Digital Certificate Manager (DCM) uses to store digital certificates." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4abunderstanddc.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahutypesofcerts.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahu1nm-cert_store" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Certificate stores</title>
</head>
<body id="rzahu1nm-cert_store"><a name="rzahu1nm-cert_store"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Certificate stores</h1>
<div><p>A certificate store is a special key database file that Digital
Certificate Manager (DCM) uses to store digital certificates. </p>
<p>The certificate store contains the certificate's private key
unless you choose to use an IBM<sup>®</sup> Cryptographic Coprocessor to store the key instead.
DCM allows you to create and manage several types of certificate stores. DCM
controls access to certificate stores through passwords in conjunction with
access control of the integrated file system directory and the files that
constitute the certificate store.</p>
<p>Certificate stores are classified based on the types of certificates that
they contain. The management tasks that you can perform for each certificate
store vary based on the type of certificate that the certificate store contains.
DCM provides the following predefined certificate stores that you can create
and manage: </p>
<dl><dt class="dlterm">Local Certificate Authority (CA)</dt>
<dd> DCM uses this certificate store to store the Local CA certificate and
its private key if you create a Local CA. You can use the certificate in this
certificate store to sign certificates that you use the Local CA to issue.
When the Local CA issues a certificate, DCM puts a copy of the CA certificate
(without the private key) in the appropriate certificate store (for example,
*SYSTEM) for authentication purposes. Applications use CA certificates to
verify the origination of certificates that they must validate as part of
the SSL negotiation to grant authorization to resources. </dd>
<dt class="dlterm">*SYSTEM</dt>
<dd>DCM provides this certificate store for managing server or client certificates
that applications use to participate in Secure Sockets Layer (SSL) communications
sessions. IBM <span class="keyword">iSeries™</span> applications (and many other
software developers' applications) are written to use certificates in the
*SYSTEM certificate store only. When you use DCM to create a Local CA, DCM
creates this certificate store as part of the process. When you choose to
obtain certificates from a public CA, such as VeriSign, for your server or
client applications to use, you must create this certificate store.</dd>
<dt class="dlterm">*OBJECTSIGNING</dt>
<dd>DCM provides this certificate store for managing certificates that you
use to digitally sign objects. Also, the tasks in this certificate store allow
you to create digital signatures on objects, as well as view and verify signatures
on objects. When you use DCM to create a Local CA, DCM creates this certificate
store as part of the process. When you choose to obtain certificates from
a public CA, such as VeriSign, for signing objects, you must create this certificate
store. </dd>
<dt class="dlterm">*SIGNATUREVERIFICATION</dt>
<dd>DCM provides this certificate store for managing certificates that you
use to verify the authenticity of digital signatures on objects. To verify
a digital signature, this certificate store must contain a copy of the certificate
that signed the object. The certificate store must also contain a copy of
the CA certificate for the CA that issued the object signing certificate.
You obtain these certificate either by exporting object signing certificates
on the current system into the store or by importing certificates that you
receive from the object signer.</dd>
<dt class="dlterm">Other System Certificate Store</dt>
<dd>This certificate store provides an alternate storage location for server
or client certificates that you use for SSL sessions. Other System Certificate
Stores are user-defined secondary certificate stores for SSL certificates.
The Other System Certificate Store option allows you to manage certificates
for applications that you or others write that use the SSL_Init API to programmatically
access and use a certificate to establish an SSL session. This API allows
an application to use the default certificate for a certificate store rather
than a certificate that you specifically identify. Most commonly, you use
this certificate store when migrating certificates from a prior release of
DCM, or to create a special subset of certificates for SSL use. </dd>
</dl>
<div class="p"><div class="note"><span class="notetitle">Note:</span> If you have an IBM Cryptographic Coprocessor installed on your system,
you can choose other private key storage options for your certificates (with
the exception of object signing certificates). You can elect to store the
private key on the coprocessor itself or use the coprocessor to encrypt the
private key and store it in a special key file instead of in a certificate
store. </div>
</div>
<p>DCM controls access to certificate stores through passwords. DCM also maintains
access control of the integrated file system directory and the files that
constitute the certificate stores. The Local Certificate Authority (CA), *SYSTEM,
*OBJECTSIGNING, and *SIGNATUREVERIFICATION certificate stores must be located
in the specific paths within the integrated file system, Other System Certificate
stores can be located anywhere in the integrated file system.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4abunderstanddc.htm" title="View this information to better understand what digital certificates are and how they work. Learn about the different types of certificates and how you can use them as part of your security policy.">DCM concepts</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahutypesofcerts.htm" title="Use this information to learn about the different types of digital certificates and how they are used in the Digital Certificate Manager (DCM).">Types of digital certificates</a></div>
</div>
</div>
</body>
</html>