To generate broker certificates, take the following steps:
- Create the RACF CA signer
certificate. This self-signed certificate is used to sign any other
personal certificates created or requested in RACF. This step is required once.
- Export the RACF CA signer
certificate in CERTDER format. This certificate must be extracted
without private keys; CERTDER is a binary format that guarantees that
no private keys are exported.
- Create the broker personal certificate. A copy of the certificate
and of the private keys is maintained in RACF for future reissue or validation. This
certificate must be associated with the broker user ID. Create a personal
certificate for each broker or integration server for which you want
to enable SSL.
- Export the broker personal certificate in PKCS12DER format. PKCS12DER
is a password-protected, binary format that contains the broker certificate
and its private keys. You will later import it into the broker keystore;
see Create and initialize the broker keystore and truststore (z/OS).
Example commands for each step are as follows: