Steps for migrating a certificate and its ICSF private key in the PKDS
- Both the source and target system must be configured to use ICSF and share the same ICSF PKA master key. The systems need not share the same RACF® database nor share the same ICSF PKDS.
- A PCI-class cryptographic coprocessor must be operational and configured with the ICSF PKDS on each system (both the source and target system) when you specify PKDS or the PCICC operand of the RACDCERT GENCERT command function. Otherwise, specify the ICSF operand.
- To use your installation's ICSF facilities in Steps 1 and 6, you might need additional authority to ICSF resources. For information about these resources, see z/OS Cryptographic Services ICSF Administrator's Guide.
- To extract ICSF private keys, you will need a non-RACF utility, such as KEYXFER. To download the KEYXFER utility, go to the z/OS UNIX System Services Tools and Toys web page.
- Generate the certificate and its public/private key
pair on system A.
RACDCERT ID(SYSMAN) GENCERT SUBJECTSDN(CN('Secure Key')) WITHLABEL('SECURE.KEY') PKDS(*) SIZE(2048)
______________________________________________________________________
- Extract the certificate from RACF and
store it in an MVS™ data set called
'MY.CERT'
. (The ICSF private key is not extracted in this step.)RACDCERT ID(SYSMAN) EXPORT(LABEL('SECURE.KEY')) DSN(MY.CERT) FORMAT(CERTDER)
______________________________________________________________________
- Extract the encrypted private key from ICSF using a non-RACF utility,
such as KEYXFER.
______________________________________________________________________
- Transmit both the key and certificate data sets to system B. This
step completes your work on system A.
______________________________________________________________________
- Receive both the key and certificate data sets on system B.
______________________________________________________________________
- Add the encrypted private key to ICSF using a non-RACF
utility, such as KEYXFER, specifying the desired PKDS label for the
key on system B,
'MIGRATED.KEY'
.______________________________________________________________________
- Add the certificate to RACF using
the same RACF and PKDS label
you used in Step 6,
'MIGRATED.KEY'
.RACDCERT ID(SYSMAN) ADD(MY.CERT) WITHLABEL('MIGRATED.KEY') PKDS(*)
______________________________________________________________________
- List the migrated certificate to verify that RACF found the private key and assigned the
private key to the certificate.
RACDCERT ID(SYSMAN) LIST(LABEL('MIGRATED.KEY'))
Result: You should see similar information at the end of the certificate listing:Key Type: RSA Key Size: 2048 Private Key: YES PKDS Label: MIGRATED.KEY Ring Associations: *** No rings associated ***
______________________________________________________________________
You have now generated a certificate and its ICSF public/private key pair on system A and migrated them to system B. Both system A and system B can now use the same certificate and key pair.