Scenario 2: Secure server with a locally signed certificate

This is similar to Scenario 1: Secure server with a certificate signed by a certificate authority with the exception that the certificate assigned to the secure server is a locally signed certificate rather than one signed by a certificate authority. Assume that the local certificate authority has the distinguished name of OU='Local Certificate Authority',O=XYZZY,C=US. The steps to implement a locally signed server certificate are:
  1. Generate a self-signed certificate to represent the local certificate authority. This certificate is used as the certificate-authority certificate.
    RACDCERT CERTAUTH
         GENCERT
         SUBJECTSDN(OU('Local Certificate Authority')
                   O('XYZZY')
                   C('US'))
         KEYUSAGE(CERTSIGN)
         WITHLABEL('XYZZY Local Certificate Authority')
  2. Export the certificate to a data set, in this case 'MARKN.LOCCERTA.CERT'.
    RACDCERT CERTAUTH
         EXPORT(LABEL('XYZZY Local Certificate Authority'))
         DSN('MARKN.LOCCERTA.CERT')
  3. Place the certificate into the z/OS UNIX file system.
    OPUT 'MARKN.LOCCERTA.CERT' '/u/loccerta/certauth.cacert'
    Note: RACF® is not involved with this step.
  4. Configure WebSphere Application Server to recognize the file /u/loccerta/certauth.cacert as a certificate-authority MIME type.
    Note: RACF is not involved with this step.
  5. Each end user must point their browser to the z/OS UNIX file containing the certificate and run an acceptance dialog to allow the browser to accept the self-signed certificate. Each browser has its own mechanism for performing this step.
    Note: RACF is not involved with this step.
  6. Logon to the server user ID INVSERV and create a certificate for the server, signed with the certificate-authority certificate that was created in Step 1.
    RACDCERT ID(INVSERV)
         GENCERT
         SUBJECTSDN(CN('xyzzy.com')
                   OU('Inventory')
                   O('XYZZY')
                   C('US'))
         WITHLABEL('Inventory Server')
         SIGNWITH(CERTAUTH
                 LABEL('XYZZY Local Certificate Authority'))
  7. Connect the certificate to INVSERV's existing key ring and mark it as the default certificate.
    RACDCERT ID(INVSERV)
         CONNECT(ID(INVSERV) LABEL('Inventory Server')
         RING(RING01)
         DEFAULT)
  8. Connect the local certificate authority certificate to the key ring as well. This completes the certificate hierarchy from root to inventory server. 
    RACDCERT ID(INVSERV)
         CONNECT(CERTAUTH LABEL('XYZZY Local Certificate Authority')
         RING(RING01))
  9. Give user INVSERV permission to read its own key ring by administering a profile in either the FACILITY or the RDATALIB class.
    • When using the FACILITY class:
      RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) 
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(INVSERV) ACCESS(READ)
      • If the FACILITY class is not already active, activate and RACLIST it.
        SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
      • If the FACILITY class is already active and RACLISTed, refresh it.
        SETROPTS RACLIST(FACILITY) REFRESH
    • When using the RDATALIB class:
      RDEFINE RDATALIB INVSERV.RING01.LST UACC(NONE)
PERMIT INVSERV.RING01.LST CLASS(RDATALIB) ID(INVSERV) ACCESS(READ)
      • If the RDATALIB class is not already active, activate and RACLIST it.
        SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)
      • If the RDATALIB class is already active and RACLISTed, refresh it.
        SETROPTS RACLIST(RDATALIB) REFRESH
  10. Configure INVSERV's software to use RING01 for SSL. For example, for z/OS® HTTP Server, set the keyFile directive to KeyFile RING01 SAF.
    Note: RACF is not involved with this step.