IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Generate a broker certificate using RACF as the Certification Authority (z/OS®)

You can use RACF® as the Certification Authority (CA) for internal certificates in your enterprise.

To generate broker certificates, take the following steps:
  1. Create the RACF CA signer certificate. This self-signed certificate is used to sign any other personal certificates created or requested in RACF. This step is required once.
  2. Export the RACF CA signer certificate in CERTDER format. This certificate must be extracted without private keys; CERTDER is a binary format that guarantees that no private keys are exported.
  3. Create the broker personal certificate. A copy of the certificate and of the private keys is maintained in RACF for future reissue or validation. This certificate must be associated with the broker user ID. Create a personal certificate for each broker or integration server for which you want to enable SSL.
  4. Export the broker personal certificate in PKCS12DER format. PKCS12DER is a password-protected, binary format that contains the broker certificate and its private keys. You will later import it into the broker keystore; see Create and initialize the broker keystore and truststore (z/OS).
Example commands for each step are as follows:
  1. Create the RACF CA signer certificate. For example: 
    RACDCERT CERTAUTH GENCERT +
   SUBJECTSDN(CN('RACF Cert Authority') T('PROD') +
   OU('RACF Group') +
   O('IBM') +
   L('HURSLEY') SP('WINCHESTER') C('GB')) +
   KEYUSAGE(CERTSIGN) +
   WITHLABEL('RACFCA') +
   NOTAFTER(DATE(2020/01/30)) +
   SIZE(1024)
  2. Export the RACFCA certificate in CERTDER format. For example: 
       
RACDCERT CERTAUTH EXPORT(LABEL('RACFCA')) +
   DSN('CSQP.CSQPBRK.CACERT.DER') FORMAT(CERTDER)

OPUT 'CSQP.CSQPBRK.CACERT.DER' +
	   '/u/CSQPBRK/ssl/csqpbrk.ca.der' +
   BINARY CONVERT(NO)
    The OPUT command is optional. It is used to copy the certificate into a HFS file before FTP to another server.
  3. Create the broker personal certificate. For example: 
    RACDCERT ID(CSQPBRK) +
   GENCERT SUBJECTSDN(CN('BROKER.HTTP.CSQPBRK') T('PROD') +
   OU('ISSW') O('IBM') +
   L('HURSLEY') SP('WINCHESTER') C('GB')) +
   WITHLABEL('CSQPBRKCERT') SIZE(1024) +
   SIGNWITH(CERTAUTH LABEL('RACFCA')) +
   KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) +
   NOTAFTER(DATE(2020/01/30))
  4. Export the broker certificate in PKCS12 format. For example: 
     RACDCERT ID(CSQPBRK) EXPORT(LABEL('CSQPBRKCERT')) +
      DSN('CSQP.CSQPBRK.PERSCERT.P12') +
      FORMAT(PKCS12DER) PASSWORD('changeit')

 OPUT 'CSQP.CSQPBRK.PERSCERT.P12' +
      '/u/CSQPBRK/ssl/csqpbrk.pers.p12' +
      BINARY CONVERT(NO)
What to do next: Create the broker keystore and import the personal certificate and RACF CA signer certificates.
Parent topic: Implementing SSL authentication on z/OS
Related tasks:
Implementing SSL authentication on z/OS
Create and initialize the broker keystore and truststore (z/OS)
Configure IBM Integration Bus on z/OS for SSL
ap34024_.htm | Last updated Friday, 21 July 2017