Configuring the IWNSAFK job
Starting with Copy Services Manager Version 6.3.6, you can run a postinstallation IWNSAFK job. The IWNSAFK job creates a certificate authority, signed certificate, and provides the necessary security settings and write permissions for enablement of SAF key ring authorization to run the Copy Services Manager application over SSL. You can find this job in the SYS1.SAMPLIB data set.
About this task
The IWNSAFK job creates a certificate authority, signed certificate, and provides the necessary security settings and write permissions for enablement of SAF key ring authorization to run the Copy Services Manager application over SSL.
Procedure
- Locate the IWNSAFK Job in the SYS1.SAMPLIB data set and open it.
-
Modify the following procedure to meet the system requirements for SAF key ring authorization
to run the Copy Services Manager application over SSL. See the job header comments for the
definition of the variables that are used in this job.
//IWNSAFKR JOB <job parameters> //********************************************************************* //* LICENSED MATERIALS - PROPERTY OF IBM * //* THIS PRODUCT CONTAINS "RESTRICTED MATERIALS OF IBM" * //* (C) COPYRIGHT IBM CORPORATION 2007,2023. * //* ALL RIGHTS RESERVED. * //* * //* IBM Copy Services Manager for z/OS * //* * //* CAUTION: This is neither a JCL procedure nor a complete job. * //* Before using this job step, make the following * //* modifications: * //* * //* This job enables RACF permissions necessary for Java access * //* and authorization to the necessary facilities to be able to * //* access the cryptography cards on a zOS system. * //* The user is the owner of the IWNSRV address space and * //* is required to have read access to the key-ring as well as * //* digital certificate facilities. This user must also be * //* added to the facility that can generate certificate requests. * //* The CSFSERV general resource class is defined to allow * //* access to protected resources used by PKCS #11 services * //* Users must be SAF authorized to the CSFSERV profile for the * //* services for PKCS #11 services to execute * //* After this job is submitted ensure the #csm_id is concatenated * //* with a / and then the #ring_name * //* in the bootstrap.properties: * //* keystore_location=//#csm_id/#ring_name * //* based on the recommended values below you would set as follows: * //* keystore_location=//CSMUSER/GUIKEYRING * //* * //* Steps to complete this job: * //* 1) Change the job card to meet your system requirements. * //* 2) Replace the following variables: * //* #csm_id - User ID for the Copy Services Manager * //* started tasks. * //* - It is suggested that you use "CSMUSER" * //* as the user ID. * //* #own_name - Owner name for the IWNSRV and * //* optional IWNAUTH * //* address spaces. * //* #cert_label - Label for the CSM GUI certificate * //* - It is recommended to use 'CSM GUI' * //* #cert_CA_label - Label for the certificate authority * //* signer. * //* - It is recommended to use 'CSMCA' * //* #common_name - The common name for the * //* Certificate * //* #org - The certificate organization. * //* #org_unit - The certificate signer organization unit * //* #country - User 2 character country abbreviation. * //* #ring_name - The key-ring name that will be specified * //* in the bootstrap.properties * //* - It is recommended to use 'GUIKEYRING' * //* #expire_date - format YYYY-MM-DD * //* e.g. 2029-12-31 * //* #host_name - fully qualified domain name for the * //* CSM server host name * //* e.g. host1.storage.org.com * //* * //********************************************************************* /* //IWNSAFKR EXEC PGM=IKJEFT01 //SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * /* Define Self signed cert comment this section out if you already */ /* have a certificate set up for use with CSM */ RACDCERT GENCERT CERTAUTH SUBJECTSDN + (CN('#common_name') O('#org') + OU('#csm_id') + C('#country')) KEYUSAGE(CERTSIGN) + WITHLABEL('#cert_label') + Trust NOTAFTER (DATE(#expire_date)) /* */ RACDCERT ADDRING(#ring_name.#csm_id) ID(#csm_id) /* Refresh the facilities */ SETR CLASSACT(DIGTCERT) SETR RACLIST(DIGTCERT) SETR RACLIST(DIGTCERT) REFRESH /* */ /* Generate a new server certificate for the user ID IWNSRV */ RACDCERT ID(#csm_id) GENCERT SUBJECTSDN + (CN('#host_name') + OU('#org_unit') O('#org') C('#country')) + WITHLABEL('#cert_label') + SIZE(2048) + RSA + SIGNWITH(CERTAUTH LABEL('#cert_ca_label')) + KEYUSAGE(HANDSHAKE) + NOTAFTER(DATE(#expire_date) TIME(00:00:00)) /* */ /* Add TRUST to the previously defined certificate */ RACDCERT CERTAUTH ALTER(LABEL('#cert_label')) ID(#csm_id) TRUST /* */ /* *Optional* if using RSA with PKDS - EXPORT THE PERSONAL CERT TO A */ /* DATASET */ /* move the following line to replace RSA in the GENCERT */ /* RSA(PKDS) + */ /* RACDCERT ID(#csm_id) EXPORT(LABEL('#cert_label')) + */ /* DSN('USRLCL.CSM.GUI.P12BIN') FORMAT(PKCS12DER) PASSWORD('PASS') */ /* Create a new Key Ring for the user Labels are case sensitive */ RACDCERT ID(#csm_id) ADDRING(#ring_name) /* */ /* Connect the created server certificate to the new keyring */ RACDCERT ID(#csm_id) CONNECT(ID(#csm_id) LABEL('#cert_label') + RING(#ring_name) DEFAULT) /* */ /* Give user permission to read its own key ring: */ RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(#csm_id) + ACCESS(READ) /* uncomment next line if you get error loading keyring */ /* not RACF authorized to use the requested service */ /* PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(#own_name) + */ /* ACCESS(READ) */ RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(#csm_id) + ACCESS(READ) /* Permit server to access the private key. It needs CONTROL access */ /* to IRR.DIGTCERT.GENCERT. */ RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE) PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(#csm_id) ACCESS(CONTROL) SETROPTS RACLIST(FACILITY) REFRESH SETROPTS RACLIST(DIGTCERT,DIGTRING,RDATALIB) refresh /* Confirm the generated key-ring and server certificate */ RACDCERT LIST(LABEL('#cert_label')) ID(#csm_id) RACDCERT LISTRING(#ring_name) ID(#csm_id) /*
- After you replace the variables, submit the IWNSAFK job.
- The job will always return code
0
, review the job log to ensure that the permissions were properly set up.