z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Setting up your certificate environment

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

After you complete your planning decisions, you can begin setting up your z/OS® certificate environment. In general, this is the sequence of activity involved in preparing for one entity, or application, to use a secure network protocol. All of the following activities are described using RACF® command functions where applicable. (For RACDCERT command syntax, see z/OS Security Server RACF Command Language Reference.) At your option, you can choose to supplement your activities with support from other software or external organizations.
  1. If you chose RACF as your certificate authority, use the RACDCERT GENCERT command to generate your certificate authority (CA) certificate, the associated public, and the private key pair in RACF. Set the certificate's validity period because the one-year default value is usually not long enough for a CA certificate.
  2. Use the RACDCERT GENCERT command to generate your application's end-entity certificate, and the associated public and private key pair, in RACF.
    • If you are using RACF as your certificate authority, sign the application certificate with your RACF certificate authority certificate.
    • If you are using an external certificate authority, create a self-signed certificate in RACF as a placeholder and use the RACDCERT GENREQ command to generate a certificate request, based on the placeholder certificate, to send to your external certificate authority. The certificate request (header line, footer line, and all data between them) is sent to the certificate authority who signs the certificate and returns it to you. Upon receipt, use RACDCERT ADD to replace the self-signed certificate with your new CA-signed certificate.
      If you peek at a request data set before you send it to the certificate authority, you will notice the following header and footer lines. (Certificate requests are always DER-encoded and then base64-encoded, like base64-encoded certificates.)
      -----BEGIN NEW CERTIFICATE REQUEST----- 
⋮ 
-----END NEW CERTIFICATE REQUEST-----
  3. Establish the trust policy for your application. (For details, see RACF and key rings.)
    • Use the RACDCERT ADDRING command to define a key ring in RACF and associate it with your application's user ID.
    • Use the RACDCERT CONNECT command to connect certificates to the key ring. Be sure to connect your trusted certificate authority certificates and the certificate that represents your application.
Parent topic: Using certificates with z/OS client/server applications

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014