Editing the Authority on a Key Store

To edit the authority on a Key Store, you must have authority to the EDTOBJAUT command and must have *OBJMGT rights to the Validation List object.

Do the following steps to edit the authority on a Validation List object that contains a Key Store:

  1. Enter the command of EDTOBJAUT OBJ( library / vldlist ) OBJTYPE(*VLDL), where library is the name of the library that contains the Validation List and vldlist is the name of the Key Store Validation List.
  2. Specify the authorities for the object.
  3. Press Enter after the authorities are entered.

Authority recommendations for Key Store Validation List (*VLDL) objects:

  • Exclude *PUBLIC authority from the object.
  • Grant *USE authority only to those users that need to use Data Encryption Keys (DEKs) within the Key Store (Validation List) to encrypt and decrypt data. Also ensure that those users have at least *USE authority to the library that contains the Key Store.
  • Grant *CHANGE authority only to those users (Key Officers) that are allowed to create new Data Encryption Keys (DEKs) into the Key Store.
NOTE: If a user attempts to access an unauthorized Key Store through Powertech Encryption for IBM i’s screens or APIs, that authority error will be logged into an audit file.

For a complete discussion regarding using Key Store Authority and Authorization Lists to control encryption and decryption, see Controlling Access to Decrypted Values.

Related Topics