This is similar to
Scenario 1: Secure server with a certificate signed by a certificate authority with the exception
that the certificate assigned to the secure server is a locally signed
certificate rather than one signed by a certificate authority. Assume
that the local certificate authority has the distinguished name of
OU='Local
Certificate Authority',O=XYZZY,C=US. The steps to implement
a locally signed server certificate are:
- Generate a self-signed certificate to represent the
local certificate authority. This certificate is used as the certificate-authority
certificate.
RACDCERT CERTAUTH
GENCERT
SUBJECTSDN(OU('Local Certificate Authority')
O('XYZZY')
C('US'))
KEYUSAGE(CERTSIGN)
WITHLABEL('XYZZY Local Certificate Authority')
- Export the certificate to a data set, in this case 'MARKN.LOCCERTA.CERT'.
RACDCERT CERTAUTH
EXPORT(LABEL('XYZZY Local Certificate Authority'))
DSN('MARKN.LOCCERTA.CERT')
- Place the certificate into the z/OS UNIX file system.
OPUT 'MARKN.LOCCERTA.CERT' '/u/loccerta/certauth.cacert'
Note: RACF® is not involved with this
step.
- Configure WebSphere Application Server to
recognize the file /u/loccerta/certauth.cacert as
a certificate-authority MIME type.
Note: RACF is
not involved with this step.
- Each end user must point their browser to the z/OS UNIX file containing
the certificate and run an acceptance dialog to allow the browser
to accept the self-signed certificate. Each browser has its own mechanism
for performing this step.
Note: RACF is
not involved with this step.
- Logon to the server user ID INVSERV and create
a certificate for the server, signed with the certificate-authority
certificate that was created in Step 1.
RACDCERT ID(INVSERV)
GENCERT
SUBJECTSDN(CN('xyzzy.com')
OU('Inventory')
O('XYZZY')
C('US'))
WITHLABEL('Inventory Server')
SIGNWITH(CERTAUTH
LABEL('XYZZY Local Certificate Authority'))
- Connect the certificate to INVSERV's existing key ring and mark
it as the default certificate.
RACDCERT ID(INVSERV)
CONNECT(LABEL('Inventory Server')
RING(RING01)
DEFAULT)
- Connect the local certificate authority certificate to the key
ring as well. This completes the certificate hierarchy from root to
inventory server.
RACDCERT ID(INVSERV)
CONNECT(CERTAUTH LABEL('XYZZY Local Certificate Authority')
RING(RING01))
- Give user INVSERV permission to read its own key
ring by administering a profile in either the FACILITY or the RDATALIB
class.
- When using the FACILITY class:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(INVSERV) ACCESS(READ)
- When using the RDATALIB class:
RDEFINE RDATALIB INVSERV.RING01.LST UACC(NONE)
PERMIT INVSERV.RING01.LST CLASS(RDATALIB) ID(INVSERV) ACCESS(READ)
- Configure INVSERV's software to use RING01 for
SSL. For example, for z/OS® HTTP
Server, set the keyFile directive to KeyFile
RING01 SAF.
Note: RACF is
not involved with this step.