z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for using the same, self-signed certificate for all RRSF nodes

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Perform the following steps to create one self-signed certificate and send an exported copy of it to each RRSF node.
  1. Choose a node in your RRSF network and create a self-signed certificate.
    Example:
    RACDCERT GENCERT 
   WITHLABEL('RRSF Server') 
   SUBJECTSDN(CN('RACF Address Space') O('YOURORG') C('US')) 
   KEYUSAGE(HANDSHAKE) 
   NOTAFTER(DATE(2016-09-01))

    Do not specify the PKDS, PCICC, or ICSF option. The private key in this step must be stored in the RACF® database so that it can be exported with the certificate in Step 2.

    ______________________________________________________________________

  2. Export the certificate as a PKCS #12 package.
    Example:
    RACDCERT EXPORT(LABEL('RRSF Server')) 
   DSN(RACFSUB.PK12DER)
   FORMAT(PKCS12DER) 
   PASSWORD('The circus is coming 2 town.')

    ______________________________________________________________________

  3. Using FTP in binary mode, transfer the export package from the local node to a data set on each remote TCP/IP node in your RRSF network. For a multisystem node, transfer the package to only one of the member systems.

    ______________________________________________________________________

  4. (Optional) On the local node, move the private key from the RACF database to the ICSF PKA key data set (PKDS), if available, where it will have hardware protection.

    If your installation controls resources in the CSFSERV and CSFKEYS classes, ensure that the user ID of the RACF subsystem has sufficient authority even if the user ID has the TRUSTED attribute.

    1. Delete the self-signed certificate you created in Step 1.
      Example:
      RACDCERT DELETE(LABEL('RRSF Server'))
    2. Re-add the self-signed certificate using the export package you created in Step 2 and store the private key in the ICSF PKDS.
      Example:
      RACDCERT ADD(RACFSUB.PK12DER) ID(RACFSUB) 
   TRUST 
   WITHLABEL('RRSF Server')
   PASSWORD('The circus is coming 2 town.')
   PKDS(RRSFserverkey)

    _________________________________________________________________

  5. (Optional) Delete the data set containing the export package because it is no longer needed.

    If you opted to leave the private key in the RACF database, you can delete the export package. If you want to add a new TCP/IP node in the future, you can reuse the same RRSF server certificate by exporting it, as you did in Step 2, and transferring it to the new node.

    If you opted in Step 4 to move the private key to the ICSF PKDS, do not delete the export package when you want to use the same RRSF server certificate with any new TCP/IP node that you might add in the future. If you delete the export package, you will need to create and distribute a new self-signed server certificate (with a different subject's distinguished name) for a new TCP/IP node.

    _________________________________________________________________

  6. On the local node, create a RACF key ring for RRSF and add the server certificate to the ring.
    1. Create the RRSF key ring.
      Example:
      RACDCERT ID(RACFSUB) ADDRING(IRR.RRSF.KEYRING)

      Specify the key ring name provided by the programmer in Before you begin.

    2. Connect the server certificate to the key ring.
      Example:
      RACDCERT ID(RACFSUB) CONNECT(LABEL('RRSF Server') 
   RING(IRR.RRSF.KEYRING)
   DEFAULT 
   USAGE(PERSONAL))
    3. Permit the user ID of RACF subsystem to access the key ring by administering a profile in either the FACILITY or the RDATALIB class.
      Note: Do not skip this step even when the user ID of RACF subsystem has the TRUSTED or PRIVILEGED attribute on your system.
      • When using the FACILITY class:
        RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) 
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(RACFSUB) ACCESS(READ)
        • If the FACILITY class is not already active, activate and RACLIST it.
          SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
        • If the FACILITY class is already active and RACLISTed, refresh it.
          SETROPTS RACLIST(FACILITY) REFRESH
      • When using the RDATALIB class:
        RDEFINE RDATALIB IRR.RRSF.KEYRING.LST UACC(NONE)
PERMIT IRR.RRSF.KEYRING.LST CLASS(RDATALIB) ID(RACFSUB) ACCESS(READ)
        • If the RDATALIB class is not already active, activate and RACLIST it.
          SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)
        • If the RDATALIB class is already active and RACLISTed, refresh it.
          SETROPTS RACLIST(RDATALIB) REFRESH

    ______________________________________________________________________

  7. On each remote RRSF node, add the self-signed certificate using the export package you transferred in Step 3.

    Note: These are the same steps you performed for the local node in Steps 4.b and 5.

    1. Add the certificate and store the private key in the ICSF PKDS, if available.

      If your installation controls resources in the CSFSERV and CSFKEYS classes on the remote node, ensure that the user ID of the RACF subsystem has sufficient authority even if the user ID has the TRUSTED attribute.

      Example:
      RACDCERT ADD(RACFSUB.PK12DER) ID(RACFSUB) 
   TRUST 
   WITHLABEL('RRSF Server')
   PASSWORD('The circus is coming 2 town.')
   PKDS(RRSFserverkey)
    2. (Optional) Delete the data set containing the export package because it is no longer needed.

    ______________________________________________________________________

  8. On each remote RRSF node, create a RACF key ring for RRSF and add the server certificate to the ring.

    Note: These are the same steps you performed for the local node in Step 6.

    1. Create the RRSF key ring.
      Example:
      RACDCERT ID(RACFSUB) ADDRING(IRR.RRSF.KEYRING)

      Specify the key ring name provided by the programmer in Before you begin.

    2. Connect the server certificate to the key ring.
      Example:
      RACDCERT ID(RACFSUB) CONNECT(LABEL('RRSF Server') 
   RING(IRR.RRSF.KEYRING)
   DEFAULT 
   USAGE(PERSONAL))
    3. Permit the user ID of RACF subsystem to access the key ring by administering a profile in either the FACILITY or the RDATALIB class.
      Note: Do not skip this step even when the user ID of RACF subsystem has the TRUSTED or PRIVILEGED attribute on your system.
      • When using the FACILITY class:
        RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) 
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(RACFSUB) ACCESS(READ)
        • If the FACILITY class is not already active, activate and RACLIST it.
          SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
        • If the FACILITY class is already active and RACLISTed, refresh it.
          SETROPTS RACLIST(FACILITY) REFRESH
      • When using the RDATALIB class:
        RDEFINE RDATALIB IRR.RRSF.KEYRING.LST UACC(NONE)
PERMIT IRR.RRSF.KEYRING.LST CLASS(RDATALIB) ID(RACFSUB) ACCESS(READ)
        • If the RDATALIB class is not already active, activate and RACLIST it.
          SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)
        • If the RDATALIB class is already active and RACLISTed, refresh it.
          SETROPTS RACLIST(RDATALIB) REFRESH

    ______________________________________________________________________

When you are finished, you have created a key ring for each TCP/IP node and added its signed server certificate to the ring. You have now implemented an RRSF trust policy for TCP/IP node connections.

Parent topic: Using the same, self-signed certificate for all RRSF nodes

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014