The IKE daemon and NSS server require the ability to retrieve
digital certificates associated with a particular identity from a RACF® key ring, and to perform operations
with the associated private key.
Before you begin
Assume that you have an X509 digital certificate that has
the X500 distinguished name
CN=SYSTEMA STACK1,OU=Inventory,O=IBM,C=US and
the domain name
ibm.com. The certificate identifies
the local IKE daemon that executes on z/OS® with
the user ID
IKED.
Tip: If you are creating
a certificate for a stack configured to use the certificate service
from an NSS server, issue these commands against the RACF database for the system on which the NSS
server runs. Modify the user ID in the examples to be the user ID
that is running the NSS server and modify the key ring to be the key
ring that is configured in the NSS server's configuration file.
Procedure
Perform the following steps to install the X509 digital
certificate:
- Generate a self-signed certificate for the server:
RACDCERT ID(IKED) GENCERT SUBJECTSDN(CN('SYSTEMA STACK1') OU('Inventory') O('IBM') C('US'))
WITHLABEL('SYSTEMA STACK1') ALTNAME(DOMAIN('ibm.com'))
- Take one of the following actions:
- Create a certificate request to send to the chosen certificate
authority. The certificate request that you create is
based on the certificate that was created in step 1. Place this certificate
into a data set called USER1.SYSTEMA.STACK1.GENREQ as follows:
RACDCERT ID(IKED) GENREQ(LABEL('SYSTEMA STACK1')) DSN('USER1.SYSTEMA.STACK1.GENREQ')
- Send the certificate request to the certificate authority. The certificate request is in base 64-encoded text. Typically,
the request is sent to the certificate authority by cutting and pasting
the certificate request into an email that is sent to the certificate
authority.
The certificate authority validates the certificate.
If the certificate is approved by the certificate authority, it is
signed by the certificate authority and returned to the requester.
- Receive the returned certificate into a data set (for example,
USER1.SYSTEMA.STACK1.CERT). The returned certificate is
in base 64-encoded text. This can be done by cutting and pasting,
with FTP, or with another technique.
- Replace the self-signed certificate with the certificate
that is signed by the certificate authority. The certificate
is replaced only if the user ID that is specified as the ID value
on the RACDCERT ADD command is the same user ID that was specified
when the certificate was created. Ensure that the user ID is the same.
Otherwise, the certificate is added, rather than replacing the self-signed
certificate, and does not contain the certificate's private key.
RACDCERT ID(IKED) ADD('USER1.SYSTEMA.STACK1.CERT') WITHLABEL('SYSTEMA STACK1')
- Connect the certificate to an existing key ring:
RACDCERT ID(IKED) CONNECT(LABEL('SYSTEMA STACK1') RING(ikeyring) USAGE(PERSONAL))
- Connect the certificate authority's certificate to the
key ring:
RACDCERT ID(IKED) CONNECT(CERTAUTH LABEL('External CA') RING(ikeyring) USAGE(CERTAUTH))
This
completes the certificate hierarchy from root to SYSTEMA STACK1.
- Add the following statement to the IKE daemon configuration
file, iked.conf, or the NSS server configuration file, nssd.conf:
Keyring IKED/ikeyring
Results
You know you are done when the X509 digital certificate is
available, and is mapped to the X500DN identity
CN=SYSTEMA
STACK1,OU=Inventory,O=IBM,C=US from the certificate's subject
name, and the FQDN identity
ibm.com from the certificate's
alternate subject name.
You can verify that the certificates that
you have created are connected to the key ring associated with user
ID IKED by using the RACDCERT command and examining the output of
the Ring Associations field. Verify that the certificate authority
was created and added to the IKED/ikeyring as
follows:
RACDCERT CERTAUTH LIST(LABEL('External CA')
Verify
that the personal certificate for the IKE daemon was created and added
to the IKED/ikeyring as follows:
RACDCERT ID(IKED) LIST(LABEL('SYSTEMA STACK1'))
Requirement: If the certificates connected
to the key ring are for an NSS client, you must create a SERVAUTH
profile for each certificate. You must give the user ID associated
with the NSS client access to this profile. Create this profile in
the RACF database for the system
on which the NSS server runs. For details about these profiles, see
Steps for authorizing resources for NSS.