Generate an integration node certificate using RACF as the Certification Authority (z/OS®)

You can use RACF® as the Certification Authority (CA) for internal certificates in your enterprise.

About this task

To generate integration node certificates, take the following steps:
  1. Create the RACF CA signer certificate. This self-signed certificate is used to sign any other personal certificates created or requested in RACF. This step is required once.
  2. Export the RACF CA signer certificate in CERTDER format. This certificate must be extracted without private keys; CERTDER is a binary format that guarantees that no private keys are exported.
  3. Create the integration node personal certificate. A copy of the certificate and of the private keys is maintained in RACF for future reissue or validation. This certificate must be associated with the integration node user ID. Create a personal certificate for each integration node or integration server for which you want to enable SSL.
  4. Export the integration node personal certificate in PKCS12DER format. PKCS12DER is a password-protected, binary format that contains the integration node certificate and its private keys. You will later import it into the integration node keystore; see Create and initialize the integration node keystore and truststore (z/OS).
Example commands for each step are as follows:

Procedure

  1. Create the RACF CA signer certificate.
    For example:
    RACDCERT CERTAUTH GENCERT +
   SUBJECTSDN(CN('RACF Cert Authority') T('PROD') +
   OU('RACF Group') +
   O('IBM') +
   L('HURSLEY') SP('WINCHESTER') C('GB')) +
   KEYUSAGE(CERTSIGN) +
   WITHLABEL('RACFCA') +
   NOTAFTER(DATE(2020/01/30)) +
   SIZE(1024)
  2. Export the RACFCA certificate in CERTDER format.
    For example: 
       
RACDCERT CERTAUTH EXPORT(LABEL('RACFCA')) +
   DSN('CSQP.CSQPBRK.CACERT.DER') FORMAT(CERTDER)

OPUT 'CSQP.CSQPBRK.CACERT.DER' +
	   '/u/CSQPBRK/ssl/csqpbrk.ca.der' +
   BINARY CONVERT(NO)
    The OPUT command is optional. It is used to copy the certificate into a HFS file before FTP to another server.
  3. Create the integration node personal certificate.
    For example: 
    RACDCERT ID(CSQPBRK) +
   GENCERT SUBJECTSDN(CN('BROKER.HTTP.CSQPBRK') T('PROD') +
   OU('ISSW') O('IBM') +
   L('HURSLEY') SP('WINCHESTER') C('GB')) +
   WITHLABEL('CSQPBRKCERT') SIZE(1024) +
   SIGNWITH(CERTAUTH LABEL('RACFCA')) +
   KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) +
   NOTAFTER(DATE(2020/01/30))
  4. Export the integration node certificate in PKCS12 format.
    For example:
     RACDCERT ID(CSQPBRK) EXPORT(LABEL('CSQPBRKCERT')) +
      DSN('CSQP.CSQPBRK.PERSCERT.P12') +
      FORMAT(PKCS12DER) PASSWORD('changeit')

 OPUT 'CSQP.CSQPBRK.PERSCERT.P12' +
      '/u/CSQPBRK/ssl/csqpbrk.pers.p12' +
      BINARY CONVERT(NO)

What to do next

What to do next: Create the integration node keystore and import the personal certificate and RACF CA signer certificates.