CA-ACF2 Application Certificate Parameter Definitions

This table describes the minimum parameter definitions required for Connect:Direct® Secure Plus for z/OS®. Consult the CA-ACF2 documentation for detailed information about all the certificate parameters and commands.

CA-ACF2 Parameter Description Value Used by IBM Connect:Direct Secure Plus Option
ACID Security ID used to start the IBM Connect:Direct Job or Started Task. CA-ACF2 defined ID
Label Certificate label. LABEL keywords are case and blank sensitive; therefore, the values specified for these keywords must be exact. Information that identifies the certificate, for example, CD Secure Plus
Note: Specify the exact value in the Certificate Label field in the Local Node record of the IBM Connect:Direct Secure Plus parameter file.
Subjsdsn Specifies the subject's distinguished name. It identifies the certificate. This name can identify certificates that may have issued or signed other certificates and can match to other certificates Issuer's Name. The following fields, which must be enclosed in single quotes, are attributes of the Issuer's Name parameter and the Subject's Name parameter:

CN=Common Name of the certificate in single quotes, for example, ‘RACF SELF SIGN COMMON'

T='Title of person creating certificate'

OU='Organizational Unit associated with the person creating the certificate'

O='Organization for which the certificate is being created'

L='Locality (city) of the entity for which the certificate is created'

SP='State/Province of the locality'

C='Country of the locality'

Size Specifies the size of the private encryption key in bits.  
Active Specifies the local date and time from which the certificate is valid. Must be a valid date and time
Expire Specifies the local date and time after which the certificate is no longer valid. All certificates used in the SSL/TLS handshake, including issuer certificates, must not be expired. Must be a valid date and time
Keyusage KeyUsage certificate extension, of which one or more of the following values might be coded. HANDSHAKE (Required): Indicates that digital signature and key encipherment are enabled.

DOCSIGN (Optional): Indicates that non-repudiation is enabled.

DATAENCRYPT (Optional): Enables the certificate to be used to.

CERTSIGN: Indicates the certificate can sign other digital certificates and CRLs.

Note: Do not specify CERTSIGN. Only Certificate Authority (Issuer) certificates should have keyCertSign and cRLSign indicators.
KEYRING Specifies the record key of a KEYRING record to which the certificate is associated. If you use a keyring, the value in this field must be specified in the Certificate Label field for the Local Node record in the IBM Connect:Direct Secure Plus parameter file.
RINGNAME Specifies the ring name of a KEYRING record to which the certificate information is associated. If you use a keyring, the value in this field must be specified in the Certificate Pathname field for the Local Node record in the IBM Connect:Direct Secure Plus parameter file.
USAGE Specifies how this certificate should be used in a keyring for the USERID of the person submitting a batch job or signed on to TSO. PERSONAL
DEFAULT Specifies that the certificate is the default certificate. Only one certificate can be the default certificate. Define the end-user server certificate of the local IBM Connect:Direct node as the default. YES