Perform the following steps to create one self-signed certificate
and send an exported copy of it to each RRSF node.
- Choose a node in your RRSF network and create a
self-signed certificate.
Example:
RACDCERT GENCERT
WITHLABEL('RRSF Server')
SUBJECTSDN(CN('RACF Address Space') O('YOURORG') C('US'))
KEYUSAGE(HANDSHAKE)
NOTAFTER(DATE(2016-09-01))
Do not specify the
PKDS, PCICC, or ICSF option. The private key in this step must be
stored in the RACF® database
so that it can be exported with the certificate in Step 2.
______________________________________________________________________
- Export the certificate as a PKCS #12 package.
Example:
RACDCERT EXPORT(LABEL('RRSF Server'))
DSN(RACFSUB.PK12DER)
FORMAT(PKCS12DER)
PASSWORD('The circus is coming 2 town.')
______________________________________________________________________
- Using FTP in binary mode, transfer the export package
from the local node to a data set on each remote TCP/IP node in your
RRSF network. For a multisystem node, transfer the package to only
one of the member systems.
______________________________________________________________________
- (Optional) On the local node, move the private
key from the RACF database
to the ICSF PKA key data set (PKDS),
if available, where it will have hardware protection.
If your installation
controls resources in the CSFSERV and CSFKEYS classes, ensure that
the user ID of the RACF subsystem
has sufficient authority even if the user ID has the TRUSTED attribute.
- Delete the self-signed certificate you created
in Step 1.
Example:
RACDCERT DELETE(LABEL('RRSF Server'))
- Re-add the self-signed certificate using the export
package you created in Step 2 and
store the private key in the ICSF PKDS.
Example:
RACDCERT ADD(RACFSUB.PK12DER) ID(RACFSUB)
TRUST
WITHLABEL('RRSF Server')
PASSWORD('The circus is coming 2 town.')
PKDS(RRSFserverkey)
_________________________________________________________________
- (Optional) Delete the data set containing the export
package because it is no longer needed.
If you opted to leave the
private key in the RACF database,
you can delete the export package. If you want to add a new TCP/IP
node in the future, you can reuse the same RRSF server certificate
by exporting it, as you did in Step 2,
and transferring it to the new node.
If you opted in Step 4 to move the private key to the
ICSF PKDS, do not delete the export package when you want to use the
same RRSF server certificate with any new TCP/IP node that you might
add in the future. If you delete the export package, you will need
to create and distribute a new self-signed server certificate (with
a different subject's distinguished name) for a new TCP/IP node.
_________________________________________________________________
- On the local node, create a RACF key ring for RRSF and add the server certificate
to the ring.
- Create the RRSF key ring.
Example:
RACDCERT ID(RACFSUB) ADDRING(IRR.RRSF.KEYRING)
Specify
the key ring name provided by the programmer in Before you begin.
- Connect the server certificate to the key ring.
Example:
RACDCERT ID(RACFSUB) CONNECT(LABEL('RRSF Server')
RING(IRR.RRSF.KEYRING)
DEFAULT
USAGE(PERSONAL))
- Permit the user ID of RACF subsystem
to access the key ring by administering a profile in either the FACILITY
or the RDATALIB class.
Note: Do not skip this step even when the user
ID of RACF subsystem has the
TRUSTED or PRIVILEGED attribute on your system.
- When using the FACILITY class:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(RACFSUB) ACCESS(READ)
- When using the RDATALIB class:
RDEFINE RDATALIB IRR.RRSF.KEYRING.LST UACC(NONE)
PERMIT IRR.RRSF.KEYRING.LST CLASS(RDATALIB) ID(RACFSUB) ACCESS(READ)
______________________________________________________________________
- On each remote RRSF node, add the self-signed certificate
using the export package you transferred in Step 3.
Note: These are the same
steps you performed for the local node in Steps 4.b and 5.
- Add the certificate and store the private key
in the ICSF PKDS, if available.
If your installation controls resources
in the CSFSERV and CSFKEYS classes on the remote node, ensure that
the user ID of the RACF subsystem
has sufficient authority even if the user ID has the TRUSTED attribute.
Example:
RACDCERT ADD(RACFSUB.PK12DER) ID(RACFSUB)
TRUST
WITHLABEL('RRSF Server')
PASSWORD('The circus is coming 2 town.')
PKDS(RRSFserverkey)
- (Optional) Delete the data set containing the
export package because it is no longer needed.
______________________________________________________________________
- On each remote RRSF node, create a RACF key ring for RRSF and add the server certificate
to the ring.
Note: These are the same steps you performed
for the local node in Step 6.
- Create the RRSF key ring.
Example:
RACDCERT ID(RACFSUB) ADDRING(IRR.RRSF.KEYRING)
Specify
the key ring name provided by the programmer in Before you begin.
- Connect the server certificate to the key ring.
Example:
RACDCERT ID(RACFSUB) CONNECT(LABEL('RRSF Server')
RING(IRR.RRSF.KEYRING)
DEFAULT
USAGE(PERSONAL))
- Permit the user ID of RACF subsystem
to access the key ring by administering a profile in either the FACILITY
or the RDATALIB class.
Note: Do not skip this step even when the user
ID of RACF subsystem has the
TRUSTED or PRIVILEGED attribute on your system.
- When using the FACILITY class:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(RACFSUB) ACCESS(READ)
- When using the RDATALIB class:
RDEFINE RDATALIB IRR.RRSF.KEYRING.LST UACC(NONE)
PERMIT IRR.RRSF.KEYRING.LST CLASS(RDATALIB) ID(RACFSUB) ACCESS(READ)
______________________________________________________________________
When you are finished, you have created a key ring for each TCP/IP
node and added its signed server certificate to the ring. You have
now implemented an RRSF trust policy for TCP/IP node connections.