CA-Top Secret Application Certificate Parameter Definitions

This table describes the minimum parameter definitions required for Connect:Direct® Secure Plus for z/OS®. Consult the CA-ACF2 documentation for detailed information about all the certificate parameters and commands.

CA-Top Secret Parameter Description Value Used for Connect:Direct Secure Plus Option
SUBJECTDSN Specifies the subject's distinguished name. It identifies the certificate. This name can identify certificates that may have issued or signed other certificates and can match to other certificates Issuer's Name. The following fields, which must be enclosed in single quotes, are attributes of the Issuer's Name parameter and the Subject's Name parameter:

CN='Common Name of the certificate in single quotes,' for example, ‘RACF SELF SIGN COMMON'

T='Title of person creating certificate'

OU='Organizational Unit associated with the person creating the certificate'

O='Organization for which the certificate is being created'

L='Locality (city) of the entity for which the certificate is created'

SP='State/Province of the locality'

C='Country of the locality'

UID='userid'

UID Security ID used to start the IBM® Connect:Direct Job or Started Task. CA-Top Secret defined ID
NBDATE/NBTIME Specifies the local date and time from which the certificate is valid. Must be a valid date and time
NADATE/NATIME Specifies the local date and time after which the certificate is no longer valid. All certificates used in the SSL/TLS handshake, including issuer certificates, must not be expired. Must be a valid date and time
KEYSIZE Specifies the size of the private encryption key in bits.  
LABLCERT Certificate label. LABEL keywords are case and blank sensitive; therefore, the values specified for these keywords must be exact.

This parameter is specified when you associate a certificate with an ACID.

Information to identify the certificate, for example, CD Secure Plus
Note: Specify the exact value in the Certificate Label field in the Local Node record of the Connect:Direct Secure Plus parameter file.
ICSF If Private Key type is ICSF, the private key is stored in the ICSF PKDS (public key data set). Access to the private key then requires that the ICSF application be executing and IBM Connect:Direct have access authority to the ICSF application If ICSF is specified, see IBM Connect:Direct Access to System Resources for SSL or TLS for requirements.
TRUST | NOTRUST Specifies the status of the certificate when you associate a certificate with an ACID. TRUST
KEYRING Specifies the key ring being added to the user's ACID. If you use a keyring, the value in this field must be specified in the Certificate Label field for the Local Node record in the Connect:Direct Secure Plus parameter file.
LABLRING Specifies the label to be associated with the keyring being added to the user, which is used as the identifier of the digital certificate. If you use a keyring, the value in this field must be specified in the Certificate Pathname field for the Local Node record in the Connect:Direct Secure Plus parameter file.
DEFAULT Specifies how this certificate should be used in a keyring for the USERID of the person submitting a batch job or signed on to TSO. PERSONAL
USAGE Specifies that the certificate is the default certificate. Only one certificate can be the default certificate. Define the end-user server certificate of the local IBM Connect:Direct node as the default. YES