[z/OS]

Enabling writable SAF keyrings

WebSphere® Application Server provides the function to allow a WebSphere Application Server administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by utilizing the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task migrates existing configurations and enables writable SAF keyrings.

Before you begin

This task is used for migrating keystore objects that have not been enabled for writable support through profile creation. Writable keyring support is only configurable when running z/OS® Release 1.9 or at z/OS Release 1.8 with APAR OA22287 - resource access control facility (RACF®) (or the APAR for your equivalent security product) and APAR OA22295 – SAF.

Before starting this task, the wsadmin tool must be running. See the information about starting the wsadmin scripting client.

About this task

By default, if writable keyring support is enabled during profile management, the default keystore configurations are enabled for writable keyrings. Alternatively, if migrating from a pervious WebSphere Application Server installation, you can enable writable keyrings for a keystore object using the following steps.

AdminTask can be used in interactive mode and batch mode. For automation the batch mode options should be used. AdminTask batch mode can be called in a JACL or Jython script. Interactive mode steps you through all the parameters the task needs, required ones are marked with a *. Before the AdminTask runs the task, it echoes the batch mode syntax of the task to the screen. This can be helpful when writing batch mode scripts for automation.

The following attributes are needed to create writable SAF keyring keystore objects:
  • keyStoreName
  • controlRegionUser
  • servantRegionUser

The interactive mode procedure to enable writable SAF keyrings is as follows:

Procedure

  1. Use interactive mode to step through all attributes and use any default values for attributes (if desired).
    The default value is in [] on the prompt line. The actual flag used in batch mode is in () on each prompt line. If you are using the default value then the flag will not show up on the batch command line.
    • Using Jacl:
      $AdminTask enableWritableKeyrings -interactive
    • Using Jython:
      AdminTask.enableWritableKeyings ('[interactive]')
  2. Here is an example of output from step (1): 
    *Keystore Name (keyStoreName): NodeDefaultKeyStore
Management Scope Name (scopeName):
*Control region userid for z/OS (SAF) (controlRegionUser): CRRACFID
*Servant region userid for z/OS (SAF) (servantRegionUser): SRRACFID

Modify keystore for writable SAF support

F (Finish)
C (Cancel)

Select [F, C]: [F] F
WASX7278I: Generated command line: $AdminTask enableWritableKeyrings {-keyStoreName NodeDefaultKeyStore 
-controlRegionUser CRRACFID -servantRegionUser SRRACFID })

Results

Two additional keystore objects are created that can be accessed using the administrative console to perform certificate operations on the appropriate keyring. The keystore objects are named your_keystore_name -CR and your_keystore_name -SR, where your_keystore_name is the name of the keystore specified on the create command.

your_keystore_name -CR corresponds to the keyring owned by the RACF ID of the control region process and your_keystore_name -SR corresponds to the keystore owned by the RACF ID of the servant region process.

These keystores are created in the same scope as your_keystore_name and can be accessed using the administrative console from the your_keystore_name collection panel.

What to do next

Accessing writable SAF keyrings:
  1. Click Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Key stores and certificates > [keystore ].
  2. Under Writable SAF Keyrings, click either Control Region Keyring or Servant Region Keyring to display the keystore collection panel for either the control region keyring or servant region keyring, respectively.
  3. Under Additional Properties, navigate to the certificate collection panels to perform certificate management operations.