CA-Top Secret Application Certificate Parameter Definitions
This table describes the minimum parameter definitions required for Connect:Direct® Secure Plus for z/OS®. Consult the CA-ACF2 documentation for detailed information about all the certificate parameters and commands.
CA-Top Secret Parameter | Description | Value Used for IBM Connect:Direct Secure Plus Option |
---|---|---|
SUBJECTDSN | Specifies the subject's distinguished name. It identifies the certificate. This name can identify certificates that may have issued or signed other certificates and can match to other certificates Issuer's Name. | The following fields, which must be enclosed in
single quotes, are attributes of the Issuer's Name parameter
and the Subject's Name parameter: CN='Common Name of the certificate in single quotes,' for example, ‘RACF SELF SIGN COMMON' T='Title of person creating certificate' OU='Organizational Unit associated with the person creating the certificate' O='Organization for which the certificate is being created' L='Locality (city) of the entity for which the certificate is created' SP='State/Province of the locality' C='Country of the locality' UID='userid' |
UID | Security ID used to start the IBM Connect:Direct Job or Started Task. | CA-Top Secret defined ID |
NBDATE/NBTIME | Specifies the local date and time from which the certificate is valid. | Must be a valid date and time |
NADATE/NATIME | Specifies the local date and time after which the certificate is no longer valid. All certificates used in the SSL/TLS handshake, including issuer certificates, must not be expired. | Must be a valid date and time |
KEYSIZE | Specifies the size of the private encryption key in bits. | |
LABLCERT | Certificate label. LABEL keywords are case and
blank sensitive; therefore, the values specified for these keywords
must be exact. This parameter is specified when you associate a certificate with an ACID. |
Information to identify the certificate, for example,
CD Secure Plus Note: Specify the exact value in the Certificate
Label field in the Local Node record of the IBM Connect:Direct Secure Plus parameter
file.
|
ICSF | If Private Key type is ICSF, the private key is stored in the ICSF PKDS (public key data set). Access to the private key then requires that the ICSF application be executing and IBM Connect:Direct have access authority to the ICSF application | If ICSF is specified, see IBM Connect:Direct Access to System Resources for SSL or TLS for requirements. |
TRUST | NOTRUST | Specifies the status of the certificate when you associate a certificate with an ACID. | TRUST |
KEYRING | Specifies the key ring being added to the user's ACID. | If you use a keyring, the value in this field must be specified in the Certificate Label field for the Local Node record in the IBM Connect:Direct Secure Plus parameter file. |
LABLRING | Specifies the label to be associated with the keyring being added to the user, which is used as the identifier of the digital certificate. | If you use a keyring, the value in this field must be specified in the Certificate Pathname field for the Local Node record in the IBM Connect:Direct Secure Plus parameter file. |
DEFAULT | Specifies how this certificate should be used in a keyring for the USERID of the person submitting a batch job or signed on to TSO. | PERSONAL |
USAGE | Specifies that the certificate is the default certificate. Only one certificate can be the default certificate. Define the end-user server certificate of the local IBM Connect:Direct node as the default. | YES |