Create Key Store (CRTKEYSTR)

The Create Key Store (CRTKEYSTR) command allows authorized users to create a Key Store for containing Symmetric Keys.

The following users can use this command:

QSECOFR user profile (unless excluded in the Key Officer settings)
A user profile with *SECADM authority (unless excluded in the Key Officer settings)
A Key Officer who has a *YES specified for the "Maintain key stores" authority setting.
When Set as default key store (SETDFT) is *YES A Key Officer who has a *YES specified for the "Maintain key policy" authority setting.

The Key Store is created as a Validation List (*VLDL) object on the System i.

IMPORTANT: This command requires all of the following:

At least *CHANGE authority to the library you are creating this key store in;
Authority to IBM's CRTVLDL (Create Validation List) command; and
Authority to IBM's CRTLIB (Create Library) command when CRTLIB (Create Library) is set to *YES.

How to Get There

From the Symmetric Encryption Key Menu, choose option 1.

Options

Key store name (KEYSTR)

Indicate the name and library of the Key Store, which is created as a Validation List (*VLDL) object on the System i.

Create library (CRTLIB)

Indicate to create the key store library if it does not exist.

The possible values are:

*YES Create the library if it does not exist. If the library already exists, then ignore the parameter.

*NO This is the Default. Do not attempt to create the library if it does not exist.

MEK id number (MEKID)

Indicate the id number of the Master Encryption Key (MEK) which will be used to encrypt any Symmetric Keys which are added (created) to the Key Store.

The possible values are:

mek-id-number Indicate a number from 1-8. A *CURRENT version of the MEK must exist.

Description (TEXT)

Indicate the description for the Key Store object.

Public authority (AUT)

Indicate the public authority for the Key Store *VLDL object.

TIP: Specify *USE to allow the public to use the Key Store.

The possible values are:

*USE Grants *PUBLIC *USE authority for the Key Store *VLDL object.

*CHANGE Grants *PUBLIC *CHANGE authority for the Key Store *VLDL object.

*ALL Grants *PUBLIC *ALL authority for the Key Store *VLDL object.

*EXCLUDE Grants *PUBLIC the *EXCLUDE authority for the Key Store *VLDL object. If this option is selected and the job's current user does not have private authority to the key store or the *ALLOBJ special authority, the job will encounter a "hard" SQL or Db2 error and may abort when it tries to read or modify encrypted data.

Set as default key store (SETDFT)

Indicate to set the new key store as the default key store in the key policy.

The possible values are:

*YES Set the new key store as the default in the key policy.

*NO Do not set the new key store as the default key store in the key policy.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.0 | 202307100156 | July 2023