Creating a RACF key ring for use with Db2 Data Gate

Create a key ring in RACF to store both the signer certificate and the server certificate.

About this task

In most cases, you will not be able to reuse an existing key ring because the server certificate must be the default certificate to be returned by the key ring. This might interfere with the requirements of other encrypted connections.

The same key ring can be used by multiple Db2 subsystems under the condition that all subsystems use the same user ID for the DDF started task. If access by different user IDs is required, then access must be managed correctly by RACF® methods.

Procedure

Add RACF commands to a JCL job as shown in the following example in order to create a key ring in RACF and store the certificates.
Tip: Make the user ID that runs the DDF started task the owner of the key ring. This way, you can omit a number of access authorizations.

Use the following example as a reference:


RACDCERT ID(DB2USER) ADDRING(DB2AKEYRING)
RACDCERT ID(DB2USER) -
         CONNECT(CERTAUTH -
         LABEL('DB2 SERVER CA') RING(DB2AKEYRING))
RACDCERT ID(DB2USER) -
         CONNECT(ID(DB2USER) -
         LABEL('DB2ASERVER CERTIFICATE') -
         RING(DB2AKEYRING) DEFAULT)
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH