Should the KEYRING_PW section in the SYSconfig.cnf file have a value when using SAF keyrings?

Document ID : KB000057312
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:
 
Should the KEYRING_PW  section in the SYSconfig.cnf file have a value when using SAF keyrings? It currently has the following default:
[KEYRING_PW]        
INITIATE_SIDE = password
RECEIVE_SIDE  = password
 
Answer:
 
CA XCOM passes the  KEYRING_FILE  and KEYRING_PW  values to the IBM System SSL API as attributes GSK_KEYRING_FILE  and GSK_KEYRING_PW. The value of KEYRING_PW should be null in order for the KEYRING_FILE value (e.g. KEYRING_FILE= userid/keyring ) to be interpreted as a SAF keyring.
 
Additional Information: 
 
As per IBM System SSL API Reference Guide, GSK_KEYRING_FILE is interpreted as either: 
 
- A database key file (if GSK_KEYRING_PW is also set, it is then used to decrypt the file) 
- A SAF keyring specified as "userid/keyring" (if GSK_KEYRING_PW is not set) 
- A PKCS #11 token if specified as "*TOKEN*/token-name"