Perform the following steps to create a CA certificate that you
will use to sign an individual server certificate for each TCP/IP
node connection in your RRSF network.
- Choose a system in your RRSF network as the CA
host system. This system will host your new signing CA certificate.
- On the CA host system, create the RRSF CA certificate.
Example:
RACDCERT CERTAUTH GENCERT
WITHLABEL('RRSFCA')
SUBJECTSDN(CN('RRSFCA') O('YOURORG') C('US'))
NOTAFTER(DATE(2031-09-01))
- List the new RRSF CA certificate and record the
issuer's distinguished name and serial number.
Example:
RACDCERT CERTAUTH LIST(LABEL('RRSFCA'))
| Issuer's distinguished name |
Serial number |
|---|
| |
|
______________________________________________________________________
- On the CA host system, create the server certificate
for the local RRSF node and associate it with the user ID of the RACF® subsystem.
Example:
RACDCERT ID(RACFSUB) GENCERT
SIGNWITH(CERTAUTH LABEL('RRSFCA'))
WITHLABEL('RRSF Server')
SUBJECTSDN(CN('RACF Address Space') O('YOURORG') C('US'))
KEYUSAGE(HANDSHAKE)
NOTAFTER(DATE(2016-09-01))
______________________________________________________________________
- On a remote RRSF node, create a certificate request
for a server certificate for this remote node. For a multisystem node,
create the request on only one of the member systems.
- Create a self-signed placeholder certificate.
Example:
RACDCERT ID(RACFSUB) GENCERT
WITHLABEL('RRSF Server')
SUBJECTSDN(CN('RACF Address Space') O('YOURORG') C('US'))
KEYUSAGE(HANDSHAKE)
NOTAFTER(DATE(2016-09-01))
- Create a certificate request based on the self-signed
certificate you just created.
Example:
RACDCERT GENREQ(LABEL('RRSF Server')) ID(RACFSUB) DSN(RRSF.REQ)
Result: A
base64-encoded certificate request is stored in the specified data
set on the remote node.
______________________________________________________________________
- Transfer the certificate request from the data set on the remote
node to a data set on the CA host system.
Because this is a base64-encoded
request, transfer the request as text to ensure that the ASCII translation
from EBCDIC takes place. To do this, use ASCII (not binary) FTP or
copy the text of the request from the data set on the remote node
and paste it into an empty data set with identical attributes on the
CA host system. Be sure to include the BEGIN and END lines.
Note: The
example in the next step specifies a data set on the CA host system
with the same name as the data set on the remote node.
______________________________________________________________________
- On the CA host system, create the server certificate
for the remote node and sign it with the RRSF CA certificate you created
in Step 1.a.
Because the
certificate created in this step is for the remote node and will not
be used on the host system, you can associate the certificate with
any user ID. If you choose to associate it with the same user ID as
the certificate used by the local RRSF node (created in Step 2), specify a different certificate
label using the WITHLABEL operand to avoid an error in this step.
Example:
RACDCERT GENCERT(RRSF.REQ) ID(RACFSUB)
SIGNWITH(CERTAUTH LABEL('RRSFCA'))
WITHLABEL('RRSF Server2')
______________________________________________________________________
- On the CA host system, export the newly signed certificate to
a data set. You can use the same data set that you used to store the
certificate request in Step 3.b.
Example:
RACDCERT EXPORT(LABEL('RRSF Server2')) ID(RACFSUB)
DSN(RRSF.REQ)
FORMAT(PKCS7B64)
Result: RACF stores the resulting export package in
the specified data set in the PKCS #7 format. The package contains
both the new server certificate and the RRSF CA certificate that signed
it.
Optionally, now delete the server certificate on the CA
host system that you created in Step 5 because
it is no longer needed.
Example:
RACDCERT DELETE(LABEL('RRSF Server2')) ID(RACFSUB)
______________________________________________________________________
- Transfer the export package from the data set on the CA host system
to a data set on the remote node.
Use ASCII (not binary) FTP or
copy the text of the certificates from the data set on the CA host
system and paste it into an empty data set with identical attributes
on the remote node. Be sure to include the BEGIN and END lines.
(To view sample certificate text, see Base64-encoded certificates.)
For
a multisystem node, transfer the export package to only one of the
member systems.
Optionally, now delete the data set on the CA
host system because it is no longer needed.
______________________________________________________________________
- On the remote node, add the newly signed certificate
to replace the self-signed placeholder certificate you created
in Step 3.a.
- Add the RRSF CA certificate:
Example:
RACDCERT ADD(RRSF.REQ) ID(RACFSUB) TRUST WITHLABEL('RRSF Server')
Results: Both
the server certificate and the RRSF CA certificate are added to the RACF data base on the remote node.
The RRSF CA certificate is assigned a generated label. The following
message is issued:
IRRD152I Root Certificate Authority not currently defined to RACF. Top
CERTAUTH certificate added with the TRUST status.
- Find out the generated label of the RRSF CA certificate. To do
this, list the RRSF CA certificate by specifying the issuer's distinguished
name and the serial number you recorded in Step 1.b. Make note of the generated certificate
label.
Example:
RACDCERT LIST(ISSUERSDN('CN=RRSFCA.O=YOURORG.C=US') SERIALNUMBER(00))
CERTAUTH
If you did not record the issuer's name
and serial number in Step 1.b,
issue the RACDCERT LIST CERTAUTH command and review
the list of CA certificates. Locate the RRSF CA certificate by its
subject's distinguished name, for example CN('RRSFCA') O('YOURORG')
C('US')), and make note of the label.
- (Optional) Modify the label of the RRSF CA certificate.
Example:
RACDCERT ALTER(LABEL('generated-label')) CERTAUTH NEWLABEL('RRSFCA')
______________________________________________________________________
- On each RRSF node, create a RACF key ring for use with RRSF and add both
the RRSF CA certificate and the server certificate to the ring.
- Create the RRSF key ring.
Example:
RACDCERT ID(RACFSUB) ADDRING(IRR.RRSF.KEYRING)
Specify
the key ring name provided by the programmer in Before you begin.
- Connect the server certificate to the key ring.
Example:
RACDCERT ID(RACFSUB) CONNECT(LABEL('RRSF Server')
RING(IRR.RRSF.KEYRING)
DEFAULT
USAGE(PERSONAL))
- Connect the RRSF CA certificate to the key ring.
Example:
RACDCERT ID(RACFSUB) CONNECT(CERTAUTH LABEL('RRSFCA')
RING(IRR.RRSF.KEYRING)
USAGE(CERTAUTH))
- Permit the user ID of RACF subsystem
to access the key ring by administering a profile in either the FACILITY
or the RDATALIB class.
Note: Do not skip this step even when the user
ID of RACF subsystem has the
TRUSTED or PRIVILEGED attribute on your system.
- When using the FACILITY class:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(RACFSUB) ACCESS(READ)
- When using the RDATALIB class:
RDEFINE RDATALIB IRR.RRSF.KEYRING.LST UACC(NONE)
PERMIT IRR.RRSF.KEYRING.LST CLASS(RDATALIB) ID(RACFSUB) ACCESS(READ)
______________________________________________________________________
When you are finished, you have created two key rings, one for
the CA host system and one remote TCP/IP node in your RRSF network.
You have also added to each ring the signed server certificate for
each node and its signing CA certificate.
Important: For each additional RRSF node that you want to
allow to communicate using TCP/IP, repeat Steps 3 through 9. When you are finished, you have
implemented an RRSF trust policy for TCP/IP node connections.
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014