Perform the following steps to generate a RACF certificate and its ICSF public/private
key pair on system A (the source system), and migrate them to system
B (the target system).
- Generate the certificate and its public/private key
pair on system A.
RACDCERT ID(SYSMAN) GENCERT SUBJECTSDN(CN('Secure Key'))
WITHLABEL('SECURE.KEY') PKDS(*) SIZE(2048)
______________________________________________________________________
- Extract the certificate from RACF and
store it in an MVS™ data set called 'MY.CERT'.
(The ICSF private key is not extracted in this step.)
RACDCERT ID(SYSMAN) EXPORT(LABEL('SECURE.KEY')) DSN(MY.CERT) FORMAT(CERTDER)
______________________________________________________________________
- Extract the encrypted private key from ICSF using a non-RACF utility,
such as KEYXFER.
______________________________________________________________________
- Transmit both the key and certificate data sets to system B. This
step completes your work on system A.
______________________________________________________________________
- Receive both the key and certificate data sets on system B.
______________________________________________________________________
- Add the encrypted private key to ICSF using a non-RACF
utility, such as KEYXFER, specifying the desired PKDS label for the
key on system B, 'MIGRATED.KEY'.
______________________________________________________________________
- Add the certificate to RACF using
the same RACF and PKDS label
you used in Step 6, 'MIGRATED.KEY'.
RACDCERT ID(SYSMAN) ADD(MY.CERT) WITHLABEL('MIGRATED.KEY') PKDS(*)
______________________________________________________________________
- List the migrated certificate to verify that RACF found the private key and assigned the
private key to the certificate.
RACDCERT ID(SYSMAN) LIST(LABEL('MIGRATED.KEY'))
Result: You
should see similar information at the end of the certificate listing:
Key Type: RSA
Key Size: 2048
Private Key: YES
PKDS Label: MIGRATED.KEY
Ring Associations:
*** No rings associated ***
______________________________________________________________________
You have now generated a certificate and its ICSF public/private
key pair on system A and migrated them to system B. Both system A
and system B can now use the same certificate and key pair.