Configuring SSL client authentication

To complete this task you use iKeyman to create and export the client certificate, FTP to transfer the certificate file to the server, and a RACDCERT (RACF® digital certificate) command to import the certificate into the RACF keyring.

iKeyman is provided as part of the Java™ Runtime Environment.

SSL client authentication provides extra security between the client and the CICS® server. SSL client authentication builds on the security provided by SSL server authentication. SSL client authentication requires that the client keyring contains a self-signed certificate that is used to identify the connecting client.

  1. Create a client certificate:
    1. Start iKeyman and open the key database file (ctgclientkeyring.jks) that you created when completing the previous task Configuring SSL server authentication on the client.
    2. From the menu, select Personal Certificates.
    3. Click New Self-Signed.
    4. Complete the following mandatory fields:
      Key label
      Enter exampleclientcert.
      Version
      Select X509 V3.
      Key size
      Select 1024.
      Common name
      Specify the default value. This is the name of the machine you are using.
      Validity period
      Specify the default value 365 days.
    5. Click OK.

      The iKeyman tool now generates a public/private key pair.

      The self-signed client certificate appears in the Personal Certificates window. The certificate has the name that you entered in the Key label field, in this example exampleclientcert.

  2. Export the client signer certificate:
    1. With exampleclientcert highlighted, select Extract Certificate.
    2. On the Data type menu, select Base64-encoded ASCII.
    3. Enter the name and location of the text file containing your Client Certificate data. This scenario uses exampleclientcert.arm.
    4. Click OK.

    The exported certificate is a signer certificate generated from the personal certificate in the keyring, it does not contain the private key. Import the keyring into the keyring of all servers that need to communicate with the SSL client. The server uses the certificate to verify the identity of the client.

  3. Import the client signer certificate into your RACF keyring:
    1. Transfer the file to the server into an MVS™ sequential data set using FTP, for example:
      ftp winmvs2g
Connected to server.company.com
User (server.company.com:(none)): name
331 Send password please. Password: xxx name is logged on.
Working directory is "/u/directory".
ftp> asc 
Representation type is Ascii NonPrint
ftp> quote site recfm=vb
SITE command was accepted
ftp> put exampleclientcert.arm 'CTGUSER.CLIENT.CERT.ARM'
Port request OK. 125 Sending data set 'CTGUSER.CLIENT.CERT.ARM'
Transfer completed successfully.
ftp> quit
    2. Add the client certificate to CLASS(DIGTCERT) using the ISPF RACF command: 
      RACDCERT ID(CTGUSER) ADD('CTGUSER.CLIENT.CERT.ARM') WITHLABEL('CLIENT.CERT') TRUST
      RACDCERT ID(CTGUSER) ADD('CTGUSER.CLIENT.CERT.ARM') 
WITHLABEL('CLIENT.CERT') TRUST

      The command returns a message confirming that the certificate has been added with TRUST status and that the class needs to be refreshed:

      Certificate Authority not defined to RACF. Certificate added with TRUST status
      Certificate Authority not defined to RACF. Certificate added with 
TRUST status
    3. Refresh the RACF class:
      SETR RACLIST(DIGTCERT) REFRESH
    4. Connect the client certificate to your RACF keyring using the ISPF RACF command: 
      RACDCERT ID(CTGUSER) CONNECT(LABEL('CLIENT.CERT') RING(CTGSERVERKEYRING) USAGE(CERTAUTH))
      RACDCERT ID(CTGUSER) CONNECT(LABEL('CLIENT.CERT') 
RING(CTGSERVERKEYRING) USAGE(CERTAUTH))

    The new signer certificate is added to the list in the Signer Certificates view, and can be used by the server to verify the identity of the client application.

You have now configured SSL client authentication.