102 lines
4.6 KiB
HTML
102 lines
4.6 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
|
||
|
<!-- Begin Header Records -->
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<!-- Created for V5R4 by beth hagemeister 7/14/04 -->
|
||
|
<!-- Change history: -->
|
||
|
<!-- end header records -->
|
||
|
<title>Cryptographic Services Key Store</title>
|
||
|
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
|
||
|
</head>
|
||
|
<body>
|
||
|
<a name="Top_Of_Page"></a>
|
||
|
<!--Java sync-link-->
|
||
|
|
||
|
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
|
||
|
</script>
|
||
|
|
||
|
|
||
|
<h2><img src="delta.gif" alt="Start of change">Cryptographic Services
|
||
|
Key Store</h2>
|
||
|
<p>Before reading this information, review the information in
|
||
|
<a href="qc3MasterKeys.htm">Cryptographic Services Master Keys</a>.
|
||
|
</p>
|
||
|
<p>Cryptographic services key store is a set of database files used for storing
|
||
|
cryptographic keys. A key store file is created using the
|
||
|
<a href="qc3crtks.htm">Create Key Store (OPM, QC3CRTKS; ILE, Qc3CreateKeyStore)</a> API.
|
||
|
Any type of key supported by cryptographic
|
||
|
services (e.g. DES, RC2, RSA, MD5-HMAC) can be stored in a key store file.
|
||
|
Keys stored in a cryptographic services key store file can be used with the
|
||
|
cryptographic services APIs in operations on data or keys.
|
||
|
</p>
|
||
|
<p>Keys are added to a key store file
|
||
|
using the
|
||
|
<a href="qc3wrtkr.htm">Write Key Record (OPM, QC3WRTKR; ILE, Qc3WriteKey Record)</a>
|
||
|
or <a href="qc3genkr.htm">Generate Key Record (OPM, QC3GENKR; ILE, Qc3GenKeyRecord)</a> API.
|
||
|
Each record in a key store file holds a key or key pair. When the key
|
||
|
store file is created, the user specifies the master key under which the key
|
||
|
values will be encrypted before storing (except for RSA public key values which
|
||
|
are stored in plaintext.) Besides the key value, the
|
||
|
record contains the key type (e.g. TDES, AES, RSA), the key size, the key
|
||
|
verification value (KVV) of the master key at the time the key value was
|
||
|
encrypted, and a label.
|
||
|
All fields in the key store record are stored as CCSID
|
||
|
65535 except for the record label. The record label will be converted from
|
||
|
the job CCSID or the job default CCSID to Unicode UTF-16 (CCSID 1200).
|
||
|
</p>
|
||
|
<p>Use the
|
||
|
<a href="qc3trnks.htm">Retrieve Key Record Attributes (OPM, QC3RTVKA; ILE, Qc3RetrieveKeyRecordAtts)</a>
|
||
|
API to retrieve the key type, key size,
|
||
|
master key ID, and KVV for a given key record.
|
||
|
</p>
|
||
|
<p>If a master key for a key store file is changed, the keys in that file must
|
||
|
be re-encrypted. The
|
||
|
<a href="qc3trnks.htm">Translate Key Store (OPM, QC3TRNKS; ILE, Qc3TranslateKeyStore)</a>
|
||
|
API can be used to translate key store keys to
|
||
|
another master key, or if the same master key is specified, to the current
|
||
|
version of the master key.</p>
|
||
|
<p>When a key store key is used, the KVV stored in the record is compared with
|
||
|
the KVVs for the master key to determine under which version of the master key
|
||
|
the key store key is encrypted. If the KVV matches the current version KVV,
|
||
|
the operation proceeds normally. If the KVV matches the old version KVV, the
|
||
|
operation proceeds but a warning is issued. The user should use the Translate
|
||
|
Key Store API to re-encrypt the key store file. If the KVV matches neither, an
|
||
|
error is returned indicating the key store key is outdated. It cannot be
|
||
|
recovered unless the master key under which it is encrypted is restored.
|
||
|
</p>
|
||
|
<p>After a key store file is changed by adding keys or translating the key
|
||
|
values, make a backup of the key store file (e.g by using SAVOBJ).
|
||
|
</p>
|
||
|
<p>To export key store keys to another system, use the
|
||
|
<a href="qc3expky.htm">Export Key (OPM, QC3EXPKY; ILE, Qc3ExportKey)</a> API
|
||
|
which will return the key value encrypted under another key.
|
||
|
Because this API can be used to obtain clear key values,
|
||
|
care should be taken to restrict access to this API.
|
||
|
</p>
|
||
|
<p><a href="qc3dltkr.htm">Delete Key Record (OPM, QC3DLTKR; ILE, Qc3DeleteKeyRecord)</a>
|
||
|
API deletes a key record from a key store file.
|
||
|
</p>
|
||
|
|
||
|
<img src="deltaend.gif" alt="End of change">
|
||
|
<br>
|
||
|
|
||
|
<hr>
|
||
|
<center>
|
||
|
<table cellpadding="2" cellspacing="2">
|
||
|
<tr align="center">
|
||
|
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
|
||
|
"catcrypt.htm">Cryptographic Services APIs</a> | <a href="aplist.htm">APIs by
|
||
|
category</a></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</center>
|
||
|
</body>
|
||
|
</html>
|
||
|
|