Generating and exporting a key pair and a certificate for Data Gate on Cloud

A additional key pair and certificate is required for each Data Gate on Cloud instance that connects to Db2® for z/OS®.

Before you begin

A Data Gate on Cloud instance requires the RSA key pair and the associated certificate in a PKCS#12 password-encrypted file. You can use your tool of choice or an external certificate authority to generate the PKCS#12 file. This topic contains instructions how to generate the PKCS#12 file using the z/OS Security Server RACF® RACDCERT command.

See RACDCERT GENCERT (Generate certificate) for information about the authorizations that are required to run the RADCERT command.

About this task

The steps in this section do not require or cause an outage of the system.

Procedure

  1. Create a JCL job and add commands to generate a pair of keys and a certificate to contain the public key for a Data Gate on Cloud instance, so that the z/OS client LPAR can identify the Data Gate on Cloud instance as an authorized participant in the encrypted network communication.
    See the following example:
    //*                                                                  
    //* Create a personal certificate for the ACC148 accelerator                 
    //* signed by the CA                                                              
    //CRKEY   EXEC PGM=IKJEFT01                                          
    //SYSTSPRT DD SYSOUT=*                                               
    //SYSPRINT DD SYSOUT=*                                               
    //SYSTSIN  DD *                                                      
     RACDCERT ID(DB2USER) GENCERT                                +          
         SUBJECTSDN(CN('ACC148')     +                                   
         O('IBM DEUTSCHLAND RESEARCH & DEVELOPMENT GMBH')    +           
         OU('SYSTEM Z SW TESTLAB')                            +          
         L('BOEBLINGEN') SP('BADEN WUERTTEMBERG') C('DE'))    +          
         NOTAFTER(DATE(2030-12-31))                           +          
         SIZE(2048)      WITHLABEL('ACC148TTLS')              +          
         KEYUSAGE(HANDSHAKE) +                                           
         SIGNWITH(CERTAUTH LABEL('DB2 SERVER CA')) +                                               
    /*                                                                   
    

    In this example, a key pair and a certificate with an alias name of ACC148TTLS ( WITHLABEL('ACC148TTLS')) are created. An alias (or X.509 friendly name) is required to refer to the certificate when you enable TLS communication. The certificate is signed by a certificate authority (CA) named DB2 SERVER CA.

  2. Add commands to the JCL that will store the key pair and the certificate in a PKCS#12 file that can be transferred and read by the Data Gate on Cloud instance, for example:
    //* run a second command                                             
    //CONN    EXEC PGM=IKJEFT01                                          
    //SYSTSPRT DD SYSOUT=*                                               
    //SYSPRINT DD SYSOUT=* 
    //* export the key pair and certificate into a PKCS#12 file 
    //* that can be transferred to the Db2 Data Gate instance                                              
    //SYSTSIN  DD *                                                             
     RACDCERT EXPORT(label('ACC148TTLS')) ID(DB2USER)    +                  
     DSN('DGSVT2.P12') FORMAT(PKCS12DER) PASSWORD('PASSWORD')
    /*
    Important:
    • The file type of the certificate file is PKCS#12, but the format you need to select when generating files of this type is PKCS12DER.
    • Keep the password of the PKCS#12 file secret. Everyone who has access to the file and the password can access the private key for the authentication of the TLS connection and thus use the key to run an attack on the encrypted traffic.
    • Only the following characters are allowed for the password of the PKCS#12 file:
      • a-z
      • A-Z
      • 0-9
      • Underscore ( _ )
  3. Submit the job.
    The result is a sequential data set.
  4. Download the binary PKCS#12 certificate file to your computer, so that it can be uploaded to Data Gate on Cloud from the Data Gate on Cloud service on Red Hat® OpenShift®. The file name dgsvt2.p12 is used for the downloaded file in this example.