CA-ACF2 Application Certificate Parameter Definitions
This table describes the minimum parameter definitions required for Connect:Direct® Secure Plus for z/OS®. Consult the CA-ACF2 documentation for detailed information about all the certificate parameters and commands.
CA-ACF2 Parameter | Description | Value Used by IBM Connect:Direct Secure Plus Option |
---|---|---|
ACID | Security ID used to start the IBM Connect:Direct Job or Started Task. | CA-ACF2 defined ID |
Label | Certificate label. LABEL keywords are case and blank sensitive; therefore, the values specified for these keywords must be exact. | Information that identifies the certificate, for
example, CD Secure Plus Note: Specify the exact value in the Certificate
Label field in the Local Node record of the IBM Connect:Direct Secure Plus parameter
file.
|
Subjsdsn | Specifies the subject's distinguished name. It identifies the certificate. This name can identify certificates that may have issued or signed other certificates and can match to other certificates Issuer's Name. | The following fields, which must be enclosed in
single quotes, are attributes of the Issuer's Name parameter
and the Subject's Name parameter: CN=Common Name of the certificate in single quotes, for example, ‘RACF SELF SIGN COMMON' T='Title of person creating certificate' OU='Organizational Unit associated with the person creating the certificate' O='Organization for which the certificate is being created' L='Locality (city) of the entity for which the certificate is created' SP='State/Province of the locality' C='Country of the locality' |
Size | Specifies the size of the private encryption key in bits. | |
Active | Specifies the local date and time from which the certificate is valid. | Must be a valid date and time |
Expire | Specifies the local date and time after which the certificate is no longer valid. All certificates used in the SSL/TLS handshake, including issuer certificates, must not be expired. | Must be a valid date and time |
Keyusage | KeyUsage certificate extension, of which one or more of the following values might be coded. | HANDSHAKE (Required): Indicates
that digital signature and key encipherment are enabled. DOCSIGN (Optional): Indicates that non-repudiation is enabled. DATAENCRYPT (Optional): Enables the certificate to be used to. CERTSIGN: Indicates the certificate can sign other digital certificates and CRLs. Note: Do not specify CERTSIGN. Only Certificate Authority
(Issuer) certificates should have keyCertSign and cRLSign indicators.
|
KEYRING | Specifies the record key of a KEYRING record to which the certificate is associated. | If you use a keyring, the value in this field must be specified in the Certificate Label field for the Local Node record in the IBM Connect:Direct Secure Plus parameter file. |
RINGNAME | Specifies the ring name of a KEYRING record to which the certificate information is associated. | If you use a keyring, the value in this field must be specified in the Certificate Pathname field for the Local Node record in the IBM Connect:Direct Secure Plus parameter file. |
USAGE | Specifies how this certificate should be used in a keyring for the USERID of the person submitting a batch job or signed on to TSO. | PERSONAL |
DEFAULT | Specifies that the certificate is the default certificate. Only one certificate can be the default certificate. Define the end-user server certificate of the local IBM Connect:Direct node as the default. | YES |