Configuring a keyring-based keystore (JCERACFKS) for SQL DI

SQL Data Insights (SQL DI) uses SSL to secure network communications and RACF® to authenticate users. You must configure a RACF keyring and an associated keystore (JCERACFKS) to manage your SSL certificates and SQL DI user authentication.

Before you begin

A RACF keyring is a set of digital certificates, private keys, and key mappings that defines your network trust policy, and a RACF keystore (JCERACFKS) collects and manages all the keyrings. To configure a RACF keystore, make sure that you grant your user ID with the RACF SPECIAL authority or sufficient authority as described in RACDCERT command.

Procedure

  1. Create a keyring by issuing the following RACF command: 
    RACDCERT ADDRING(SQLDIRG) ID(SQLDIID)

    Where SQLDIID is the owner of the RACF keyring.

  2. Generate a CA (certificate authority) certificate by issuing the following command: 
    RACDCERT GENCERT CERTAUTH +  
SUBJECTSDN( + 
      CN('PLEXE2') + 
      C('US') + 
      SP('CA') + 
      L('SAN JOSE') + 
      O('IBM') + 
      OU('SQLDI') + 
) + 
ALTNAME( + 
      EMAIL('user1@ibm.com') + 
) +  
WITHLABEL('SQLDICert') +  
NOTAFTER(DATE(2030/01/01))

    If you decide to use an existing CA-signed certificate used by your business, make sure that you add and import the root CA certificate to RACF. See instructions in RACDCERT command for using the RACDCERT ADD and RACDCERT IMPORT commands.

  3. Generate and sign a user certificate for <sqldi_setup_userid> by issuing the following command: 
    RACDCERT GENCERT ID(SQLDIID) + 
SUBJECTSDN( + 
      CN('PLEXE2') +  
      C('US') + 
      SP('CA') +  
      L('SAN JOSE') + 
      O('IBM') +  
      OU('SQLDI') +  
) +  
ALTNAME( + 
      EMAIL('user1@ibm.com') + 
) + 
WITHLABEL('SQLDICert_SQLDIID') +  
SIGNWITH(CERTAUTH LABEL('SQLDICert')) + 
NOTAFTER(DATE(2022/01/01))

    Where SQLDIID is the owner of the RACF keyring.

  4. Connect the user certificate and the CA certificate to the keyring you created and add usage options by issuing the following commands: 
    RACDCERT ID(SQLDIID) CONNECT(CERTAUTH LABEL('SQLDICert') +     
RING(SQLDIRG))                                  

RACDCERT ID(SQLDIID) CONNECT(ID(SQLDIID) LABEL('SQLDICert_SQLDIID') + 
RING(SQLDIRG) USAGE(PERSONAL))
  5. Grant <sqldi_setup_userid> permission to access the keyring and the CA certificate.

    <sqldi_setup_userid> must have the READ or UPDATE authority to the IRR.DIGTCERT.LISTRING resource in the FACILITY class. While the READ access enables the listing of your own keyring, the UPDATE access enables the listing of keyrings owned by others.

    Issue the following commands:

    RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(<sqldi_setup_userid>) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

    <sqldi_setup_userid> must also have the READ or UPDATE authority to the <ringOwner>.<ringName>.LST resource in the RDATALIB class. While the READ access enables the retrieval of your private keys, the UPDATE access enables the retrieval of keys by others.

    Issue the following commands:

    RDEFINE RDATALIB SQLDIID.SQLDIRG.LST UACC(NONE) 
SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB) 
SETROPTS CLASSACT(RDATALIB)
PERMIT SQLDIID.SQLDIRG.LST CLASS(RDATALIB) ID(<sqldi_setup_userid>) ACCESS(READ)
SETROPTS RACLIST(RDATALIB) REFRESH

    See Configuring setup user ID for SQL DI for the full list of the privileges required for <sqldi_setup_userid>.

    If needed, you can modify the keyring at any time by following the instructions in Modifying the specification of your SQL DI keyring.