Should the KEYRING_PW section in the SYSconfig.cnf file have a value when using SAF keyrings? It currently has the following default:
INITIATE_SIDE = password
RECEIVE_SIDE = password
CA XCOM passes the KEYRING_FILE and KEYRING_PW values to the IBM System SSL API as attributes GSK_KEYRING_FILE and GSK_KEYRING_PW. The value of KEYRING_PW should be null in order for the KEYRING_FILE value (e.g. KEYRING_FILE= userid/keyring ) to be interpreted as a SAF keyring.
As per IBM System SSL API Reference Guide, GSK_KEYRING_FILE is interpreted as either:
- A database key file (if GSK_KEYRING_PW is also set, it is then used to decrypt the file)
- A SAF keyring specified as "userid/keyring" (if GSK_KEYRING_PW is not set)
- A PKCS #11 token if specified as "*TOKEN*/token-name"