Select the KeyStore creation method

You can create and populate the KeyStore file with one of the following methods:
  • Using the HUCRYPT JCL

    This method is a wrapper around the z/OS UNIX command-line method that incorporates variable definitions and script invocation into a single JCL. HUHCRYPT is located in HUH.#CUST.JCL, unless you specified a different location when you customized and submitted the HUH.SHUHSAMP(HUHSETUP) job. For more details, see Customization setup.

  • Using the z/OS UNIX command line
    This method does not have the line-length limitations that JCL has. But you need to do the following steps:
    1. Copy and customize the rseapi.certificate.env file.

      The rseapi.certificate.env file resides in the /usr/lpp/IBM/rseapi/samples directory, unless you used a different path during the SMP/E installation of RSE API.

    2. From the directory that holds the customized rseapi.certificate.env, invoke the /usr/lpp/IBM/rseapi/tomcat.base/bin/huhcrypto.sh script. The exact script location depends on the path that is used during the SMP/E installation of RSE API.
  • Using an existing server certificate that resides in your security database
    This method does not invoke the script that creates a new certificate and allows you to use an existing certificate. Issue the following commands on the z/OS UNIX command line to store the certificate and related Certificate Authority (CA) certificate in a KeyStore file:
    1. Issue TSO OMVS to get to the z/OS UNIX command line.
    2. Export the server and CA certificates from your security database to sequential data sets. These sample commands assume you are using RACF as security manager.
      tso "RACDCERT CERTAUTH EXPORT(LABEL('#rseapi')) FORMAT(PKCS12DER) PASSWORD('#mypassword') DSN('MY.RACF.SIGNED.RSEAPI.CERT.P12')"
tso "RACDCERT CERTAUTH EXPORT(LABEL('#ca.label')) FORMAT(CERTB64) DSN('MY.RACF.PUBLIC.CA.CERT.B64')"
    3. Go to the directory that will hold the KeyStore (the directory is created by the HUHSETUP JCL described in Customization setup).
      cd /etc/zexpl/rseapi_crypto
    4. Copy the exported server certificate to this directory as a (PKCS12) KeyStore file.
      cp "//'MY.RACF.SIGNED.RSEAPI.CERT.P12'" keystore
    5. Add the CA certificate to the KeyStore file.
      cp "//'MY.RACF.PUBLIC.CA.CERT.B64'" ca.crt
keytool -importcert -trustcacerts -noprompt -alias #ca.label -keystore keystore -storetype PKCS12 -storepass #mypassword -file ca.crt
    6. Verify the result.
      keytool -list -keystore keystore -storepass #mypassword -storetype PKCS12
    With these steps completed, you can skip straight to the Customize rseapi.env section, and use these values for the RSEAPI_KEYSTORE_* variables:
    RSEAPI_KEYSTORE_FILE=$RSEAPI_CFG/rseapi_crypto/keystore
RSEAPI_KEYSTORE_PASS=#mypassword
RSEAPI_KEYSTORE_TYPE=PKCS12