Create digital certificates and key ring using RACF

Edit online

Create the certificates and key ring for use with AT-TLS to secure communication between Tivoli Management Services on z/OS components.

Before you begin

Certificates are used for authentication. You can use RACF for handling certificates for secure communications, as described in this topic.

Tip: You can also generate certificates outside of z/OS according to your organization policy and then import the certificates to RACF or Integrated Cryptographic Service Facility (ICSF).

For other security management products, refer to your product documentation for information about handling certificates and key rings.

Related information

z/OS Security Server RACF Security Administrator's Guide: RACF and digital certificates. For a sample setup that uses RACF, see Scenario 1: Secure server with a certificate signed by a certificate authority and Scenario 2: Secure server with a locally signed certificate.
z/OS Planning for Multilevel Security and the Common Criteria: Authentication via client digital certificates

About this task

When you set up your certificates and key ring, you perform the following actions:

Generate the certificates.
Create the key ring that will be used in the AT-TLS rules, and add the OMEGAMON started task user ID as the owner.
Note: For more information about authorizing the OMEGAMON started tasks, see (If needed) Define security authorization for OMEGAMON started tasks.
Add the certificate chain to the created key ring: root, intermediate, personal certificates (certificates might vary depending on your company policies).

The following procedure provides example RACF commands to perform these actions. In the example, ITMUSER is the z/OS user ID under which the OMEGAMON started tasks run, and ITMkeyring is the name of the key ring.

Note: The examples are intended as a guide; you can organize your certificates differently, depending on the requirements of your site.

Procedure

Enter the following RACF command to add user authority for the RACF RACDCERT command. In this example, ITMUSER is the z/OS user ID under which the OMEGAMON started tasks run.
```
SETROPTS CLASSACT(DIGTCERT DIGTRING)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)

PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(CONTROL) ID(ITMUSER)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(READ) ID(ITMUSER)

SETROPTS RACLIST (DIGTRING) REFRESH
SETROPTS RACLIST (DIGTCERT) REFRESH
SETROPTS RACLIST (FACILITY) REFRESH
SETROPTS RACLIST(FACILITY) REFRESH
```
Tip: Permits to IRR.DIGTCERT profiles in the FACILITY class is one way to grant key ring access permission. Another way, which is more precise, is to create a profile and grant permission to it in the RDATALIB class. Access level CONTROL to RDATALIB profiles is required only in some cases (for example, if the SITE certificate is used in the key ring as PERSONAL). For more information, see the following topics in z/OS Security Server RACF Callable Services: RACF authorization and Usage notes.

Enter the following RACF command to generate a certificate authority (CA) certificate:

RACDCERT CERTAUTH 
         GENCERT 
         SUBJECTSDN(OU('<sysname>CA') 
                    O('IBM') 
                    L('Raleigh') 
                    SP('NC') 
                    C('US')) 
         NOTAFTER(DATE(2030-12-31)) 
         WITHLABEL('<SYSNAME>CA') 
         KEYUSAGE(CERTSIGN)

Enter the following RACF command to generate a site certificate:

RACDCERT ID(ITMUSER) 
         GENCERT 
         SUBJECTSDN(CN('sysname.tivlab.raleigh.ibm.com') 
                    OU('<SYSNAME>') 
                    O('IBM') 
                    L('Raleigh') 
                    SP('NC') 
                    C('US')) 
         NOTAFTER(DATE(2030-12-31)) 
         WITHLABEL('<SYSNAME>Certificate') 
         SIGNWITH(CERTAUTH LABEL('<SYSNAME>CA'))

Enter the following RACF commands to define the key ring, connect the certificate, and activate your changes. In this example, ITMkeyring is the name of the key ring.

RACDCERT ID(ITMUSER) 
         ADDRING(ITMkeyring)

RACDCERT ID(ITMUSER) 
         CONNECT(CERTAUTH LABEL('<SYSNAME>CA') 
         RING(ITMkeyring))

RACDCERT ID(ITMUSER) 
         CONNECT(ID(ITMUSER) 
         LABEL('<SYSNAME>Certificate') 
         RING(ITMkeyring) DEFAULT)

SETROPTS REFRESH RACLIST(STARTED)

For a configuration with multiple systems where the remote TEMS and hub TEMS run on different LPARs, the public key of the CA certificate must be exported and saved in a data set. You must add the public key of the CA certificate to the key ring for remote clients.
```
RACDCERT CERTAUTH 
         EXPORT(LABEL('<sysname>CA')) 
         DSN('<output-data-set-name>')
```