You can use a RACF keyring as an SSL keystore.
About this task
You must set the HBRSSLKEYSTORE property to the value SAF to
use a SAF keyring such as RACF.
First, create a signing certificate.
Then, use this signing certificate to create a server certificate.
Finally, export the signing certificate to the client web browser
where it is used to authenticate the server certificate.
Procedure
- Create a certificate authority (CA) certificate (signing
certificate). This example uses RACF commands:
RACDCERT GENCERT
CERTAUTH
SUBJECTSDN(CN('ODM Sample Certification Authority')
O('IBM')
OU('ODM'))
SIZE(1024)
WITHLABEL('ODM-Sample-Certification')
- Create a server certificate that uses the signing certificate
from the previous step, where <userid> is the zRule
Execution Server for z/OS® started
task user ID. The hostname is the host
name of the server that the zRES is running on.
RACDCERT ID(<userid>) GENCERT
SUBJECTSDN(CN('<hostname>')
O('IBM')
OU('ODM'))
SIZE(1024)
SIGNWITH (CERTAUTH LABEL('ODM-Sample-Certification'))
WITHLABEL('<userid>-zRES')
- You need a keyring, to which you can add the two certificates.
Create a keyring by running the following command, where <userid> is
the zRule
Execution Server for z/OS started
task user ID and <keyring> is the name of the
new keyring.
RACDCERT ADDRING(<keyring>) ID(<userid>)
Alternatively,
you can locate an existing keyring by running this command:
RACDCERT LISTRING(*) ID(<userid>)
- Run these commands to connect the certificates to the keyring
you created or located in the previous step:
RACDCERT ID(<userid>) CONNECT(RING(<keyring>)
LABEL('ODM-Sample-Certification')
CERTAUTH)
RACDCERT ID(<userid>) CONNECT(RING(<keyring>)
LABEL('<userid>-zRES'))
- Export the signing certificate to a CER file:
RACDCERT CERTAUTH EXPORT(LABEL('ODM-Sample-Certification'))
DSN('<userid>.CERT.ZRESCERT')
FORMAT(CERTDER)
PASSWORD('password')
- FTP the exported certificate in binary to your workstation,
and import it into your browser. When importing you must manually
select the certificate location of "Trusted Root Certification Authorities".
Allowing automatic location selection results in the certificate being
stored in the wrong location. If using the Chrome browser you must
close all browser windows, and kill any remaining tasks, for the change
to take effect.
- Edit the ++HBRWORKPATH++/servers/sslSAF.xml file
and add the following XML. The SAF keyring must be specified
in the URL form safkeyring://<userid>/<keyring>.
The <userid> value must be set to the zRule
Execution Server for z/OS started
task user ID and the <keyring> value must be set
to the name of the keyring. The password field is not used for accessing
the SAF keyring and must be set to password.
<keyStore filebased="false" id="racfKeyStore"
location="safkeyring://<userid>/<keyring>"
password="password"
readOnly="true"
type="JCERACFKS"/>
<ssl id="defaultSSLConfig" keyStoreRef="racfKeyStore"
sslProtocol="SSL_TLS"
serverKeyAlias="<userid>-zRES" />