Building a key ring manually

In CICS®, the required server certificate and related information about certificate authorities are held in a key ring in the RACF® database. The key ring contains your system's private and public key pair, together with your server certificate and the certificates for all the certificate authorities that might have signed the certificates you receive from your clients.

Before you begin

Before you can use SSL with CICS, you must create a key ring that contains a private and public key pair and a server certificate.

To create a key ring you must have UPDATE authority to the IRR.DIGTCERT.ADDRING resource in the FACILITY class.

If you want to share certificates in a key ring between CICS regions, make sure either of the following conditions is met:

The CICS regions share the same user ID that owns the key ring.
If the region user ID does not own the key ring, grant that region user ID authority to access the key ring.

About this task

The RACDCERT command installs and maintains public key infrastructure (PKI) private keys and certificates in RACF. You can either manually issue the RACDCERT command to create a new key ring or you can use the DFH$RING sample program, see Building a key ring with certificates using DFH$RING.

To create a key ring manually, follow these steps:

Procedure

Issue the following RACDCERT command:

RACDCERT ID(cics-region-userid) ADDRING(ringname)

The key ring must be associated with the CICS region user ID.

Results

RACF creates the key ring in the RACF database. If there is a key ring of the same name already in the RACF database, it is replaced with the new key ring.

What to do next

Create a signing certificate (certificate authority certificate) and add it to the key ring.