Define E2EAgentCA

Procedure

  1. Create a RACF keyring for the E2E agent to use it as keystore. 
    RACDCERT ID(E2EUSER) ADDRING(E2EAgentKeyring)
  2. Create a self-signed RSA key pair containing a public and a private key to act as a CA. "E2EAgentCA" is the label or alias of the certificate. 
    RACDCERT GENCERT CERTAUTH SUBJECTSDN(CN('CA for E2EAgent') 
O('IBM') OU('E2EAgent') C('US')) SIZE(2048) WITHLABEL('E2EAgentCA') 
NOTAFTER(DATE(2029-12-31))
  3. Connect the CA certificate to the keyring. 
    RACDCERT ID(E2EUSER) CONNECT(RING(E2EAgentKeyring) 
LABEL('E2EAgentCA')  CERTAUTH)
  4. Create a personal certificate, signed by the CA certificate "E2EAgentCA". Create an RSA key pair for the E2E agent server signed by the CA certificate. The common name (CN) value is typically the host name of the z/OS LPAR, which hosts the E2E agent. "E2EAdapterServerCert" is the alias for the personal certificate of the E2E agent. 
    RACDCERT ID(E2EUSER) GENCERT SUBJECTSDN(CN('myServer.host.com') 
O('IBM')  OU('E2EAgent')  C('US'))  SIZE(2048) SIGNWITH(CERTAUTH
LABEL('E2EAgentCA')) WITHLABEL('E2EAgentServerCert') 
NOTAFTER(DATE(2029-12-31))
  5. Connect the personal certificate to the keyring. 
    RACDCERT ID(E2EUSER)  CONNECT(RING(E2EAgentKeyring)
LABEL('E2EAgentServerCert'))
  6. Verify that the keyring and certificates were created correctly. 
    RACDCERT ID(E2EUSER) LISTRING(E2EAgentKeyring) 
RACDCERT CERTAUTH LIST(LABEL('E2EAgentCA')) 
RACDCERT ID(E2EUSER)  LIST(LABEL('E2EAgentServerCert'))

    The following screen capture shows the LISTRING response:

    Ring:
     >E2EAgentKeyring<
Certificate Label Name	          Cert Owner	  USAGE	   DEFAULT
--------------------------------	------------	--------	-------
E2EAgentCA	                      CERTAUTH	    CERTAUTH	NO
E2EAgentServerCert	              ID(E2EUSER)	 PERSONAL	NO
  7. Activate the RACF definition. 
    SETROPTS RACLIST(DIGTCERT) REFRESH