Creating a RACF key ring for Data Streamer and data gatherers

To configure AT-TLS connections between the Data Streamer and the data gatherers, you must create a RACF® key ring for the Data Streamer and the data gatherers.

Before you begin

You must have the access to run the RACDCERT commands to create the RACF key ring and certificates. For more information about the RACDCERT commands and the authorizations that are required, see RACDCERT (Manage RACF digital certificates) in the z/OS® Security Server RACF Command Language Reference.

About this task

In the following examples, HBOLGF is the user ID that is assigned to the Data Streamer started task. If you use a different user ID, change it to a different value.

Procedure

  1. Obtain a certificate for the Data Streamer.
    To establish TLS communication between the Data Streamer and the data gatherers, the server side (the Data Streamer) must have a server certificate.

    You can use an existing server certificate such as a SITE certificate for the LPAR for the Data Streamer. If none is available, you can complete the following steps to create a locally signed server certificate.

    1. Generate a self-signed certificate to represent the local certificate authority. This certificate is used as the CA certificate. If you already have a certificate, skip this step. 
      RACDCERT CERTAUTH GENCERT                         
  SUBJECTSDN(CN('Root CA for CDP')                  
             OU('xxxx') O('yyyy') C('US'))          
  RSA SIZE(2048) 
  NOTAFTER(DATE(2030-12-31))                        
  WITHLABEL('cdpCA')     

SETROPTS RACLIST(DIGTCERT) REFRESH
RACDCERT CERTAUTH LIST (LABEL('cdpCA'))
      OU('xxxx') O('yyyy') C('US'))
      Specify your organizational unit name, organization name, and country.
      NOTAFTER(DATE(2030-12-31))
      Specify the expiry date that you need.
    2. Create a personal certificate that is signed by the CA certificate that you create in step 1.a for the Data Streamer. 
      RACDCERT ID(HBOLGF) GENCERT                         
  SUBJECTSDN(CN('yourhost.yourcompany.com')         
             OU('xxxx') O('yyyy') C('US'))          
  ALTNAME(DOMAIN('yourhost.yourcompany.com'))            
  RSA SIZE(2048) KEYUSAGE(HANDSHAKE)    
  NOTAFTER(DATE(2030-12-31))                        
  WITHLABEL('cdpDSCert')     
  SIGNWITH(CERTAUTH LABEL('cdpCA'))

SETROPTS RACLIST(DIGTCERT) REFRESH
RACDCERT ID(HBOLGF) LIST (LABEL('cdpDSCert'))
      CN('yourhost.yourcompany.com')
      Specify a fully qualified host name of the z/OS where the Data Streamer runs.
      OU('xxxx') O('yyyy') C('US'))
      Specify your organizational unit name, organization name, and country.
      NOTAFTER(DATE(2030-12-31))
      Specify the expiry date that you need.
  2. Create a RACF key ring for the Data Streamer and the data gatherers. 
    RACDCERT ID(HBOLGF) ADDRING(Keyring.CDP) 

RACDCERT ID(HBOLGF) CONNECT (RING(Keyring.CDP)
  CERTAUTH LABEL('cdpCA')) 
                            
RACDCERT ID(HBOLGF) CONNECT (RING(Keyring.CDP)                 
  ID(HBOLGF) LABEL('cdpDSCert')                            
  USAGE(PERSONAL) DEFAULT)    
    
SETROPTS RACLIST(DIGTRING) REFRESH   
RACDCERT ID(HBOLGF) LISTRING(Keyring.CDP)
    CERTAUTH LABEL('cdpCA')
    Specify the correct label for the CA certificate. If the Data Streamer server certificate is issued by an intermediate CA, you must connect all the CA certificates in the chain to the key ring.
    ID(HBOLGF)
    If you use a SITE certificate for the Data Streamer, replace ID(HBOLGF) with SITE.
    DEFAULT
    The DEFAULT parameter specifies the default certificate for the key ring.
    You can use the RACDCERT LISTCHAIN command to check if the certificate chain is complete and if all the certificates in the chain are connected to the key ring. For example,
    RACDCERT ID(HBOLGF) LISTCHAIN LABEL(('cdpDSCert'))
  3. Grant the Data Streamer the access to the key ring and the certificates.
    The user ID that is associated with the Data Streamer started task must be granted appropriate access to the certificates and the key ring that you create in steps 1 and 2. The instructions depend on if the RDATALIB or FACILITY class is used in your site to protect the shared key ring and the private key of certificates.
    • If you use the RDATALIB class, run the following commands:
      RDEFINE RDATALIB HBOLGF.Keyring.CDP.LST UACC(NONE)

PERMIT HBOLGF.Keyring.CDP.LST CLASS(RDATALIB) ID(HBOLGF) ACCESS(CONTROL)  

SETROPTS RACLIST(RDATALIB) REFRESH
      ACCESS(CONTROL)
      Specify the access level based on your need.
      • READ authority is required if a certificate is not obtained in step 1. In another word, all the subscribers that the Data Streamer connects to don’t require the client authentication of the Data Streamer. Or a personal certificate is obtained for the Data Streamer, and the user ID associated with the Data Streamer is the owner of the certificate.
      • UPDATE authority is required if a personal certificate is obtained for the Data Streamer, but the owner of the certificate is a different user from the user ID that is associated with the Data Streamer.
      • CONTROL authority is required, if a SITE certificate is used for the Data Streamer.
    • If you use the FACILITY class, run the following commands:
      RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(HBOLGF) ACCESS(READ) 

RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE)                       
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(HBOLGF) ACCESS(CONTROL) 

SETROPTS RACLIST(FACILITY) REFRESH
      In the commands, these statements are required only when a SITE certificate is used for the Data Streamer.
      RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE)                       
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(HBOLGF) ACCESS(CONTROL)
      When you use the FACILITY class and a personal certificate is obtained for the Data Streamer, the user ID that is associated with the Data Streamer must be the owner of the certificate.