Then, export the personal certificate to a data set in CER format and then FTP in binary to
your work station. Import the personal certificate to the web browser as a personal certificate.
When the certificate is imported into the web browser, it can supply an SSL client certificate and
connect to the HTTPS port in the Liberty server. Use the following RACF command, where
<clientuserid> is the RACF user ID and
<hostname> is the host name of the
client computer.
RACDCERT ID(<clientuserid>) GENCERT
SUBJECTSDN(CN('<hostname>')
O('IBM')
OU('CICS'))
SIZE(2048)
SIGNWITH (CERTAUTH LABEL('CICS-Sample-Certification'))
WITHLABEL('<clientuserid>-certificate')
Export
the personal certificate as you have done earlier in this
step.
RACDCERT ID(<clientuserid>)
EXPORT(LABEL('<clientuserid>-certificate'))
DSN('USERID.CERT.CLICERT')
FORMAT(PKCS12DER)
PASSWORD('password')
Update
the
server.xml SSL element to support SSL client certificate
authentication:
<ssl id="defaultSSLConfig" keyStoreRef="racfKeyStore"
sslProtocol="SSL_TLS"
serverKeyAlias="<userid>-Liberty-Server"
clientAuthenticationSupported="true"/>
Additionally,
if you want to ensure all clients must supply a valid SSL client certificate, add the
clientAuthentication attribute to the SSL element as
follows:
<ssl id="defaultSSLConfig" keyStoreRef="racfKeyStore"
sslProtocol="SSL_TLS"
serverKeyAlias="<userid>-Liberty-Server"
clientAuthenticationSupported="true"
clientAuthentication="true"/>