RACF Application Certificate Parameter Definitions
To avoid some problems associated with CA-signed and self-signed certificates, refer to the following information about certificate parameter definitions required to use Connect:Direct® Secure Plus for z/OS®. Minimum parameter definitions for certificates generated with the RACF®, gskkyman, CA-ACF2, and CA-Top Secret security applications are provided.
If you plan to use FIPS mode, see z/OS V1R11.0 Cryptographic Services System Sockets Layer Programming SC24-5901-08 for more information about System SSL and FIPS mode.
You may also want to record the parameter definitions you configure for certificates on the worksheets provided for the local and remote node records in Configuration Worksheets.
This table describes the minimum parameter definitions required for IBM Connect:Direct Secure Plus for z/OS. When two parameters are listed in the same row, the first parameter name is used when you create a certificate and the second parameter name is its equivalent, which is used when you display information about the certificate. Consult the RACF documentation for detailed information about all the certificate parameters and commands.
|RACF Parameter||Description||Value Used for IBM Connect:Direct Secure Plus|
|User ID||Security ID used to start the IBM Connect:Direct Job or Started Task.||RACF-defined ID|
|Label||Certificate label. LABEL keywords are case and blank sensitive; therefore, the values specified for these keywords must be exact.||Information that identifies the certificate, for example, CD Secure
Note: Specify the exact value in the Certificate Label field in the Local Node record of the IBM Connect:Direct Secure Plus parameter.
Note: Use the default certificate defined in the key store. Leave the certificate label field in the local record as blank.
|Status||Status of the certificate.||Status=TRUST
All certificates used by IBM Connect:Direct Secure Plus for z/OS must be Trusted.
|Specifies the local date and time from which the certificate is valid.||Must be a valid date and time|
|Specifies the local date and time after which the certificate is no longer valid. All certificates used in the SSL/TLS handshake, including issuer certificates, must not be expired.||Must be a valid date and time|
|Key Usage||Facilitates identification and key exchange during SSL/TLS security handshakes.||HANDSHAKE (Required): Indicates
that digital signature and key encipherment are enabled.
DOCSIGN (Optional): Indicates that non-repudiation is enabled.
DATAENCRYPT (Optional): Indicates that data encipherment is enabled.
CERTSIGN: Indicates the certificate can sign other digital certificates and CRLs.
Note: Do not specify CERTSIGN. Only Certificate Authority (Issuer) certificates should have keyCertSign and cRLSign indicators.
|X.509 Subject's Distinguished Name
|Specifies the distinguished name of the issuer
that issued or signed a certificate. The name identifies the trusted
certificate of the issuer or CA that signed the server certificate.
The name identifies the trusted certificate of the issuer or CA that
signed the server certificate. The CA or entity certificate with that
name must be available within the key database or Keyring. The Issuer
Name keywords are case and blank sensitive.
Note: Self-signed certificates display the same information in the Issuer Name and Subject Name parameters.
|The following fields, which must be enclosed in
single quotes, are attributes of the Issuer's Name parameter
and the Subject's Name parameter:
CN=Common Name of the certificate in single quotes, for example, ‘RACF SELF SIGN COMMON'
T='Title of person creating certificate'
OU='Organizational Unit associated with the person creating the certificate'
O='Organization for which the certificate is being created'
L='Locality (city) of the entity for which the certificate is created'
SP='State/Province of the locality'
C='Country of the locality'
|X.509 Subject's Distinguished Name
|Specifies the certificate's subject distinguished name. It identifies the certificate. This name can identify certificates that may have issued or signed other certificates and can match to other certificates Issuer's Name.|
|Private Key Size||Specifies the size of the private key expressed in decimal bits. Key size of 1024 provides a secure encryption. A larger size provides a more secure encryption but requires more CPU to encrypt.|
|Private Key Type||Specifies how the private key should be stored for future use. Type can be none, non-ICSF, or ICSF. If Type= none, the certificate does not have a private key.||If ICSF is specified, see IBM Connect:Direct Access to System Resources for SSL or TLS for requirements.|
|Ring Name||Specifies the name of the keyring that a certificate is connected with.||If you use a key ring, the exact value in this field must be specified in the Certificate Pathname field for the Local Node record in the IBM Connect:Direct Secure Plus parameter file.|
|Usage||Specifies how this certificate should be used in a keyring for the USERID of the person submitting a batch job or signed on to TSO.||PERSONAL|
|Default||Specifies that the certificate is the default certificate. Only one certificate can be the default certificate. Define the end-user server certificate of the local IBM Connect:Direct node as the default.||YES|