As of V5R4, i5/OS now includes key stores. Technically, key stores have an object type of *FILE — and more specifically, a physical data base file — but data access to key stores is only possible through the Cryptographic Services APIs. Key stores offer the option of storing key encryption keys or data keys, securely encrypted under a master key. If you are unfamiliar with the concepts of master keys, key encryption keys, and data keys, please see my earlier Cryptographic Key Management articles, which cover those topics in more detail; links are provided at the end of this article.
The Cryptographic Services APIs for managing key stores provide a variety of functions, such as creating a key store, generating or writing a key store record, and deleting a key store record. Other key store APIs let you retrieve the attributes of a key store record or translate all the key store records in a key store encrypted with one master key to another. To discuss key stores in more detail and provide some key store API coding examples, today’s issue of APIs by Example presents a pair of CL commands named Create Key Store (CRTKS) and Translate Key Store (TRNKS) that are based on the respective APIs.
The Cryptographic Services APIs that require a key as input to a cryptographic operation have had added a new KEYD0400 key description parameter format to enable the use of key encryption keys or data keys stored in a key store. This new format lets you specify a qualified key store name and a key label for the key parameter. The key label is the name that uniquely identifies a specific key store record within a key store; you define it when you add the key record to the key store. I discuss key store records in more detail in a moment, and an upcoming APIs by Example will look more closely at the options and methods controlling the management of key store records.