Using the z/OS hardware cryptography leveraging ICSF and RACF keystores
Integrated Cryptographic Service Facility (ICSF) is the software on a z/OS system that serves as an interface with the hardware where keys can be stored. IBMJCECCARACFKS keystores handle certificates and keys managed in Resource Access Control Facility (RACF). The certificates are stored in RACF, but you can store keys in ICSF or RACF. The IBMJCECCARACFKS keystore will achieve hardware crypto exploitation, such as encryption, decryption and signing, regardless if the keys are in stored in RACF or in ICSF.
Before you begin
Before starting this task, you should become familiar with the content of the topic Hardware cryptographic device support for Web Services Security.
- Ensure the necessary setup for placing your certificates in RACF have been completed. Refer to the z/OS documentation for the version of z/OS that is running on your system, for information on how to place your certificates in RACF
- Know the CSFSERV access permissions required for the ICSF Services that the IBMJCECCA provider uses. Refer to the document Standard Edition, Hardware Cryptography IBMJCECCA Overview for information about these access permissions.
- Ensure that ICSF is running.
About this task
The JCECCAKS keystore is used for keys that you manage and store directly in ICSF and requires that you include the IBMJCECCA provider in the provider list specified in the java.security file.
The JCECCARACFKS keystore is used for certificates and keys that you manage in RACF. You store the certificates in RACF, and you can store the keys in either RACF or ICSF. Using the JCECCARACFKS keystore type requires that you include the IBMJCECCA provider in the provider list specified in the java.security file. You can achieve hardware crypto exploitation for performance benefit even when your keys are not stored in the hardware.
The JCERACFKS keystore is used with the IBMJCE provider or the IBMJCECCA provider. You can use the JCERACFKS keystore for certificates and keys that are managed and stored by RACF. You can achieve hardware crypto exploitation for performance benefit, when using the IBMJCECCA provider. The URI path reference for the JCERACFKS keystore is in the form of safkeyring:///your_keyring_name.