Configure SSL client authentication (optional)

SSL client authentication can optionally be configured if you have already configured SSL server authentication.

You perform some of these tasks on the IBM® z/OS® platform by issuing RACDCERT (IBM RACF® digital certificate) commands. The RACDCERT commands enable you to create and maintain digital certificates, and to create the keyrings which act as repositories for digital certificates. You also use ikeyman.

ikeyman is provided as part of the Java™ Runtime Environment.

  1. Create a CA certificate on your Client that is self signed. Start ikeyman and open the Java keystore (.jks) file.
  2. Click Create > New Self-Signed Certificate. In the Create New Self-Signed Certificate window, complete the following steps:
    1. In the Key label field, type cics tg client certificate. This provides a way of identifying the certificate, and is not used in security processing.
    2. On the Version menu, select X509 V3.
    3. On the Key size menu, select 1024.
    4. The Common name defaults to the name of the machine you are using, and the Validity period defaults to 365 days.
    5. Click OK.
  3. Select the new personal certificate by selecting Personal Certificates on the dropdown menu that currently displays Signer Certificates and click Extract Certificate.... Specify the data type Base64-encoded ASCII data, the certificate file name (this scenario used client.personal.cert.arm), and the location (for example C:\CICSTG).
  4. Check to ensure that the file is visible in the folder.
  5. Transfer the file to the server, using either FTP or the command line, for example:
    C:\CICSTG>ftp server
Connected to server.company.com
User : ctguser
Password : xxx
CTGUSER is logged on. Working directory is "/u/ctguser".
ftp> asc
Representation type is Ascii NonPrint
ftp> literal site recfm=vb
200 SITE command was accepted
ftp> cd 'CTGUSER'
"CTGUSER." is the working directory name prefix.
ftp> put client.personal.cert.arm
Storing data set CTGUSER.CLIENT.PERSONAL.CERT.ARM
ftp> quit
  6. Add to the certificate to RACF:
    RACDCERT ID (CTGUSER) ADD('CTGUSER.CLIENT.PERSONAL.CERT.ARM') WITHLABEL('MY CLIENT CERT') TRUST
    RACDCERT ID (CTGUSER) ADD('CTGUSER.CLIENT.PERSONAL.CERT.ARM') WITHLABEL
('MY CLIENT CERT') TRUST
    The following message is displayed: 
    The new profile for DIGTCERT will not be in effect until a SETROPTS REFRESH has been issued.
Certificate Authority not defined to RACF. Certificate added with TRUST status.
    The new profile for DIGTCERT will not be in effect until a SETROPTS
REFRESH has been issued. 
Certificate Authority not defined to RACF. Certificate added with
TRUST status.
  7. Refresh the RACF repository on the server: 
    setr raclist(digtcert) refresh
  8. Add the client certificate to the keyring:
    RACDCERT ID (CTGUSER) CONNECT(LABEL ('MY CLIENT CERT') RING(CTGKEYRING) USAGE (CERTAUTH))
    RACDCERT ID (CTGUSER) CONNECT(LABEL ('MY CLIENT CERT') 
RING(CTGKEYRING) USAGE (CERTAUTH))
  9. Check that the server personal certificate has been added to the keyring:
    1. Open ISPF.
    2. From the ISPF main menu select R RACF.
    3. From the RACF - SERVICES OPTION menu select 7 DIGITAL CERTIFICATES, KEYRINGS, AND TOKENS.
    4. From the DIGITAL CERTIFICATES AND RELATED FUNCTIONS menu select 2 KEYRING FUNCTIONS.
    5. From the DIGITAL CERTIFICATE KEYRING SERVICES menu, specify user CTGUSER and select the option 3 LIST EXISTING KEYRINGS.
    6. At the prompt Enter specific ring names or an asterisk * to list up to 4 rings, enter an asterisk (*).
    ISPF now lists the available certificate label names:
    
Ring:
     >CTGKEYRING<
Certificate Label Name               Cert Owner    USAGE       DEFAULT
----------------------------------   -----------   -----       -------
CTG CA CERT                          CERTAUTH      CERTAUTH    NO
CTG PERSONAL CERT                    ID(CTGUSER)   PERSONAL    YES
MY CLIENT CERT                       ID(CTGUSER)   CERTAUTH    NO