Keystore and truststore

Edit online

Keystore and truststore have certificates and private keys, which are used to establish a secure connection between client and server. Key ring is a secure way to store certificates and private keys and can be used as both a keystore and a truststore. The private keys can be stored in the external security manager or ICSF.

  • To create a key ring, use the following commands:
    RACF
    RACDCERT ID(<ring_owner>) ADDRING(<ring_name>)
    CA ACF2
    SET PROFILE(USER) DIV(KEYRING) 
INSERT <ring_owner>.<recid> RINGNAME(<ring_name>)
    CA TOP SECRET
    TSS ADD(<ring_owner>) KEYRING(<ring_name>) LABLRING(<ring_name>)
  • To connect to certificates, use the following commands:
    RACF
    RACDCERT ID(<ring_owner>) CONNECT(LABEL(‘<certificate_label>’) RING(<ring_name>) USAGE(<usage>))
    CA ACF2
    SET PROFILE(USER) DIV(KEYRING) 
CONNECT CERTDATA(<certificate_recid>) KEYRING(<ring_owner>.<ring_recid>) USAGE(<usage>)
    CA TOP SECRET
    TSS ADD(<ring_owner>) KEYRING(<ring_name>) RINGDATA(<certificate_owner>,<certificate_label>) USAGE(<usage>)
  • To create SAF profile and grant access, use the following commands:
    • If your private key is stored in external security manager,
      RACF
      RDEFINE RDATALIB <ring_owner>.<ring_name>.LST UACC(NONE)
PERMIT <ring_owner>.<ring_name>.LST CLASS(RDATALIB) ID(<zowe_stc>) ACCESS(CONTROL)
      CA ACF2
      SET RESOURCE(RDA)
RECKEY <ring_owner>.<ring_name>.LST ADD(UID(<zowe_stc>) SERVICE(READ,ADD,DELETE,UPDATE,EXECUTE) ALLOW)
      CA TOP SECRET
      TSS PERMIT(<zowe_stc>) RDATALIB(<ring_owner>.<ring_name>.lst) ACCESS(CONTROL)
    • If your private key is stored in ICSF,
      RACF
      RDEFINE RDATALIB <ring_owner>.<ring_name>.LST UACC(NONE) 
PERMIT <ring_owner>.<ring_name>.LST CLASS(RDATALIB) ID(<zowe_stc>) ACCESS(READ) 
RDEFINE CSFKEYS <private_key_label> UACC(NONE) 
PERMIT <private_key_label> CLASS(CSFKEYS) ID(<zowe_stc> ACCESS(READ)
      CA ACF2
      SET RESOURCE(RDA) 
RECKEY <ring_owner>.<ring_name>.LST ADD(UID(<zowe_stc>) SERVICE(READ) ALLOW) 
SET PROFILE(CSFKEYS) DIVISON(ICSF) 
INSERT <recid> RESOURCE(<private_key_label>)
      CA TOP SECRET
      TSS PERMIT(<zowe_stc>) RDATALIB(<ring_owner>.<ring_name>.lst) ACCESS(READ) 
TSS PERMIT(<zowe_stc>) CSFKEYS(<private_key_label>) ACCESS(CONTROL)