Configure SSL server authentication - step 1

This step involves using RACF® commands to create a CA certificate, a signed personal certificate and a keyring on the server.

You perform these tasks on the IBM® z/OS® platform by issuing RACDCERT (RACF digital certificate) commands. The RACDCERT commands enable you to create and maintain digital certificates, and to create the keyrings which act as repositories for digital certificates.

These sample commands generate RACF certificates which use an SHA-256 hashing algorithm for signing. For information on other options see the topic RACDCERT GENCERT (Generate certificate) in the IBM z/OS Security Server RACF Command Language Reference.

  1. Create a CA certificate that is self signed on the server (in RACF). Enter the following command on one line:
    RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU('CTG TEST') O('IBM') T('CTG CA CERT') C('GB')) 
SIZE(2048) KEYUSAGE(CERTSIGN) WITHLABEL('CTG CA CERT')
  2. Refresh the RACF class: 
    SETR RACLIST(DIGTCERT) REFRESH
  3. Check that the CA certificate has been created; do this by verifying that it exists in the output from listing the DIGTCERT class:
    1. Open ISPF.
    2. From the ISPF main menu select R RACF.
    3. From the RACF - SERVICES OPTION MENU screen select 2 GENERAL RESOURCE PROFILES.
    4. From the GENERAL RESOURCE PROFILE SERVICES screen select D or 8 DISPLAY PROFILE CONTENTS.
    5. From the DISPLAY GENERAL RESOURCE PROFILE screen do the following:
      • Enter the class name DIGTCERT in the CLASS field.
      • Leave the PROFILE field blank.
      • Enter YES to select the profile type DISCRETE.
      • Enter YES to select the ACCESS LIST option.
      Press Enter to display a list of the selected classes and confirm that it contains the DIGTCERT class you have just created.
  4. List the certificate:
    RACDCERT CERTAUTH LIST(LABEL('CTG CA CERT'))
  5. Generate a personal certificate on the server and sign it with your CA certificate. Enter the following command on one line:
    RACDCERT ID(CTGUSER) GENCERT SUBJECTSDN(OU('CTG TEST') O('IBM') T('CTG PERSONAL CERT') C('GB')) 
SIZE(2048) WITHLABEL('CTG PERSONAL CERT') SIGNWITH(CERTAUTH LABEL('CTG CA CERT'))
    Where CTGUSER is a valid RACF user ID.
  6. Refresh the RACF class:
    SETR RACLIST(DIGTCERT) REFRESH
  7. Create a keyring where certificates are stored:
    RACDCERT ADDRING(CTGKEYRING) ID(CTGUSER)
  8. Add the CA certificate and personal certificate to the keyring:
    1. Add the CA certificate to the keyring:
      RACDCERT ID(CTGUSER) CONNECT(CERTAUTH LABEL('CTG CA CERT') RING(CTGKEYRING) USAGE(CERTAUTH))
    2. Add the personal certificate to the keyring:
      RACDCERT ID(CTGUSER) CONNECT(LABEL('CTG PERSONAL CERT') RING(CTGKEYRING) DEFAULT USAGE(PERSONAL))
  9. List the keyring to confirm that it contains the certificates:
    RACDCERT LISTRING(CTGKEYRING) ID(CTGUSER)
    Here is an example of the output generated by this command:
    
Ring:
     >CTGKEYRING<
Certificate Label Name               Cert Owner    USAGE       DEFAULT
----------------------------------   -----------   -----       -------
CTG CA CERT                          CERTAUTH      CERTAUTH    NO
CTG PERSONAL CERT                    ID(CTGUSER)   PERSONAL    YES
  10. Export the personal certificate to a file on the server:
    RACDCERT ID(CTGUSER) EXPORT(LABEL('CTG PERSONAL CERT')) DSN('CTGUSER.PERSONAL.CERT') FORMAT(CERTB64)
    The FORMAT(CERTB64) specifies that the certificate is stored in ASCII format. Use ISPF 3.4 to view the certificate.