Steps for generating a certificate and private key for the RACF address space

Before you begin:

The RACDCERT commands shown in the following steps are examples. Your values might be different.
- In this example, the user ID of the RACF® address space is RACFSUB. The actual user ID for your RACF address space is defined by setting up a started task identity using either the started procedures table (ICHRIN03), or by defining a profile in the STARTED class.
  See z/OS Security Server RACF System Programmer's Guide for information about setting up the RACF subsystem.
- The label of the new certificate generated in these steps is RASP1. You can specify a label of your own choice.
- The new certificate in these steps is signed by RACF, which is the certificate authority used in the context of this example. The local CA certificate for RACF is identified by the label RACFCA.
After completing these steps, avoid changing RACF's private key. If you change it, RACF will not be able to build PKCS #7 envelopes for existing passwords or password phrases. (Because the passwords and password phrases were encrypted under the old public key, they cannot be decrypted under the new private key.) Normal operation will resume as users subsequently change their passwords and password phrases.

Guidelines: If available, use ICSF to store the private key created in Step 1. Unless you use ICSF to store private keys, any user with READ access to the RACF database, or a user authorized to invoke a RACROUTE REQUEST=EXTRACT request, can obtain the default certificate's private key and any user's encrypted password or password phrase. As always, protect the RACF database and its copies against inappropriate access. Further, verify that applications retrieving envelopes do so using only the R_admin interface.

Perform the following steps to generate an X.509 V3 certificate and associated private key, and prepare them for RACF use during the enveloping process.

Generate a digital certificate containing a private key for the RACF address space.

Example:

RACDCERT ID(RACFSUB) GENCERT
   SUBJECTSDN(CN('RACF AddrsSpace System 1')O('ibm')C('us'))
   WITHLABEL('RASP1')
   SIGNWITH(CERTAUTH LABEL('RACFCA'))
   KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN)
   NOTAFTER(DATE(2020-12-31))
   ICSF

If you do not use ICSF, then omit this operand from the command.

______________________________________________________________________

Create a RACF key ring named IRR.PWENV.KEYRING. Note that the name of the key ring is case-sensitive.
Example:
```
RACDCERT ID(RACFSUB) ADDRING(IRR.PWENV.KEYRING)
```
______________________________________________________________________
Connect the certificate you created for the RACF address space in Step 1 to the key ring. You must connect it as the default certificate as shown in the following example.
Example:
```
RACDCERT ID(RACFSUB) CONNECT(LABEL('RASP1') 
   RING(IRR.PWENV.KEYRING)
   DEFAULT 
   USAGE(PERSONAL))
```
______________________________________________________________________
Verify that your new certificate is marked trusted by listing it using the RACDCERT LIST command. (This also applies to the other certificates you create during setup for enveloping.) If the certificate is not trusted, use the following command to mark it trusted.
Example:
```
RACDCERT ID(RACFSUB) ALTER (LABEL('RASP1')) TRUST
```
______________________________________________________________________

You have now created an X.509 V3 certificate and associated private key for the RACF address space, and connected them to RACF's key ring.

Once you complete these steps, if you change the user ID under which the RACF subsystem runs, you will need to repeat these steps using the new RACF user ID.