Using an existing certificate that is not owned by the CICS region user ID

You can share a single certificate between CICS® systems by using the appropriate RACF® facilities.

About this task

For any CICS resource that has the CERTIFICATE attribute and for Web Services Security, by default the certificate that is used must be owned by the CICS region user ID. If CICS needs to use a certificate that it does not own, for example a single certificate that is shared by multiple CICS systems where each system has a different region user ID, you can use the RACF Facility Class RDATALIB to allow multiple CICS systems to share a single certificate.

1. Connect the certificate to its key ring with the PERSONAL usage option.
2. If the certificate is a USER certificate, grant to the CICS region user ID that you want to use the certificate UPDATE authority for the ring_owner.ring_name.LST resource in the RDATALIB class.
3. Activate the RDATALIB class by using the RACLIST command.

Results

CICS can use the certificate that is owned by the other user ID. For more information, see z/OS Security Server RACF Callable Services.