![[z/OS]](../images/ngzos.gif)
Creating writable SAF keyrings
WebSphere® provides the function to allow a WebSphere administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by using the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task creates new keystore configurations and their associated keyrings.
Before you begin
Attention: The JCERACFKS keystore type, is only available on
the z/OS® platform.
Important: You
must enable support for writable keyrings using the profile management
tool prior to generating the application server profiles. Writable
keyring support is only configurable when running at z/OS Release
1.9 or at z/OS Release 1.8 with APAR OA22287 - RACF (or
the APAR for your equivalent security product) and APAR OA22295 –
SAF.
About this task
Procedure
Results
What to do next
RACF
keyring considerations
- Certificate Deletion
- When a certificate is deleted from a RACF keyring, the certificate is not deleted from RACF. It is only disconnected from the keyring. The certificate can be reconnected through RACF if it is accidentally removed from the keyring. If you want the certificate completely deleted from RACF, it must be removed by the RACF administrator.
- Import and Export of Certificates
- During the import and export of certificates to and from managed SAF keystores, if the certificate already exists in RACF under a different label, then it will be connected to the keyring with the existing label regardless of the label you assign the certificate on the import or export command.
- Renewing Certificates
- Certificates are not physically deleted from RACF. The existing certificate label still exists in RACF and renewing certificates will increment the alias (label) of the certificate by appending _1, _2, etc., to the existing certificate label.