Building a key ring manually

In CICS®, the required server certificate and related information about certificate authorities are held in a key ring in the RACF® database. The key ring contains your system's private and public key pair, together with your server certificate and the certificates for all the certificate authorities that might have signed the certificates you receive from your clients.

Before you begin

Before you can use SSL with CICS, you must create a key ring that contains a private and public key pair and a server certificate. To create a key ring you must have UPDATE authority to the IRR.DIGTCERT.ADDRING resource in the FACILITY class. If you want to share certificates in a key ring between CICS regions, the CICS regions must have the same user ID and the user ID must own the key ring.

About this task

The RACDCERT command installs and maintains public key infrastructure (PKI) private keys and certificates in RACF. You can either manually issue the RACDCERT command to create a new key ring or you can use the DFH$RING sample program, see Building a key ring with certificates using DFH$RING.

To create a key ring manually, follow these steps:

Procedure

Issue the following RACDCERT command:

RACDCERT ID(cics-region-userid) ADDRING(ringname)

The key ring must be associated with the CICS region user ID.

Results

RACF creates the key ring in the RACF database. If there is a key ring of the same name already in the RACF database, it is replaced with the new key ring.

What to do next

Create a signing certificate (certificate authority certificate) and add it to the key ring.