Before you begin:
- The RACDCERT commands shown in the following steps are examples.
Your values might be different.
- After completing these steps, avoid changing RACF's private key.
If you change it, RACF will
not be able to build PKCS #7 envelopes for existing passwords or password
phrases. (Because the passwords and password phrases were encrypted
under the old public key, they cannot be decrypted under the new private
key.) Normal operation will resume as users subsequently change their
passwords and password phrases.
Guidelines: If available, use ICSF to store the private
key created in Step 1. Unless you
use ICSF to store private keys, any user with READ access to the RACF database, or a user authorized
to invoke a RACROUTE REQUEST=EXTRACT request, can obtain the default
certificate's private key and any user's encrypted password or password
phrase. As always, protect the RACF database
and its copies against inappropriate access. Further, verify that
applications retrieving envelopes do so using only the R_admin interface.
Perform the following steps to generate an X.509 V3 certificate
and associated private key, and prepare them for RACF use during the enveloping process.
- Generate a digital certificate containing a private
key for the RACF address space.
Example:
RACDCERT ID(RACFSUB) GENCERT
SUBJECTSDN(CN('RACF AddrsSpace System 1')O('ibm')C('us'))
WITHLABEL('RASP1')
SIGNWITH(CERTAUTH LABEL('RACFCA'))
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN)
NOTAFTER(DATE(2020-12-31))
ICSF
If you do not use ICSF, then omit this operand
from the command.
______________________________________________________________________
- Create a RACF key ring
named IRR.PWENV.KEYRING. Note that the name of the
key ring is case-sensitive.
Example:
RACDCERT ID(RACFSUB) ADDRING(IRR.PWENV.KEYRING)
______________________________________________________________________
- Connect the certificate you created for the RACF address space in Step 1 to the key ring. You must connect it
as the default certificate as shown in the following example.
Example:
RACDCERT ID(RACFSUB) CONNECT(LABEL('RASP1')
RING(IRR.PWENV.KEYRING)
DEFAULT
USAGE(PERSONAL))
______________________________________________________________________
- Verify that your new certificate is marked trusted by listing
it using the RACDCERT LIST command. (This also applies to the other
certificates you create during setup for enveloping.) If the certificate
is not trusted, use the following command to mark it trusted.
Example:
RACDCERT ID(RACFSUB) ALTER (LABEL('RASP1')) TRUST
______________________________________________________________________
You have now created an X.509 V3 certificate and associated private
key for the RACF address space,
and connected them to RACF's
key ring.
Once you complete these steps, if you change the user ID under
which the RACF subsystem runs,
you will need to repeat these steps using the new RACF user ID.