z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Exporting RACF's certificate to the recipient key database

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you have implemented IBM® Tivoli® Directory Integrator, or the recipient intends to verify the signature of envelopes as they are decrypted to ensure they are from RACF®, then both the CA certificate and the RACF address space certificate must be available to the recipient in the recipient key database.

Export both the RACF CA certificate and the RACF address space certificate. (These certificates were created in Generating a local CA certificate using RACF as the CA and Generating an X.509 V3 certificate for the RACF address space.)

Example:

RACDCERT CERTAUTH EXPORT(LABEL('RACFCA')) DSN(CERT.RACFCA.TEXT) FORMAT(CERTB64)
RACDCERT ID(RACFSUB) EXPORT(LABEL('RASP1')) DSN(CERT.RASP.TEXT) FORMAT(CERTB64)

These files must be transferred to the recipient system. Use FTP (ASCII mode) or simply cut and paste them to create the racfca.cert and rasp.cert files. Then, import the files:

Using the keytool command:

Example:

keytool -import -alias RACFCA -file racfca.cert -keystore
   recipient.jks -storepass xxxxxx
keytool -import -alias RASP1 -file rasp.cert -keystore
   recipient.jks -storepass xxxxxx

Using the gsk5cmd command:

Example:

gsk5cmd.exe -cert -add -db recipient.kdb -pw xxxx -label
   "RACFCA" -file racfca.cert -format ascii

gsk5cmd.exe -cert -add -db recipient.kdb -pw xxxx -label
   "RASP1"  -file rasp.cert -format ascii
Parent topic: Setting up enveloping

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014