After you complete your planning decisions, you can begin setting
up your z/OS® certificate environment.
In general, this is the sequence of activity involved in preparing
for one entity, or application, to use a secure network protocol.
All of the following activities are described using RACF® command functions where applicable. (For
RACDCERT command syntax, see
z/OS Security Server RACF Command Language Reference.)
At your option, you can choose to supplement your activities with
support from other software or external organizations.
- If you chose RACF as your
certificate authority, use the RACDCERT GENCERT command to generate
your certificate authority (CA) certificate, the associated public,
and the private key pair in RACF.
Set the certificate's validity period because the one-year default
value is usually not long enough for a CA certificate.
- Use the RACDCERT GENCERT command to generate your application's
end-entity certificate, and the associated public and private key
pair, in RACF.
- If you are using RACF as
your certificate authority, sign the application certificate with
your RACF certificate authority
certificate.
- If you are using an external certificate authority, create a self-signed
certificate in RACF as a placeholder and
use the RACDCERT GENREQ command to generate a certificate request,
based on the placeholder certificate, to send to your external certificate
authority. The certificate request (header line, footer line, and
all data between them) is sent to the certificate authority who signs
the certificate and returns it to you. Upon receipt, use RACDCERT
ADD to replace the self-signed certificate with your new CA-signed
certificate.
If you peek at a request data set before you send
it to the certificate authority, you will notice the following header
and footer lines. (Certificate requests are always DER-encoded and
then base64-encoded, like base64-encoded certificates.)
-----BEGIN NEW CERTIFICATE REQUEST-----
⋮
-----END NEW CERTIFICATE REQUEST-----
- Establish the trust policy for your application. (For details,
see RACF and key rings.)
- Use the RACDCERT ADDRING command to define a key ring in RACF and associate it with your
application's user ID.
- Use the RACDCERT CONNECT command to connect certificates to the
key ring. Be sure to connect your trusted certificate authority certificates
and the certificate that represents your application.