Steps for migrating an existing key database to a RACF key ring

The IKE daemon and NSS server require the ability to retrieve digital certificates associated with a particular identity from a RACF® key ring, and to perform operations with the associated private key.

Before you begin

To migrate an existing key database file to a RACF key ring, see the information on migrating key database files to RACF key rings in z/OS Cryptographic Services System SSL Programming.

Procedure

Perform the following steps to migrate keys and certificates that are stored in an existing z/OS® key database into a RACF key ring:

  1. Using gskkyman, export the certificate and private key to a password-protected PKCS#12 file. For details on copying a certificate with its private key, see z/OS Cryptographic Services System SSL Programming.
  2. Copy the newly created PKCS#12 file to an MVS™ data set.
  3. Use the RACDCERT command with the ADD operand to define a certificate and private key. The data set name that was created in step 2 contains the certificate.
  4. Use the RACDCERT command with the ADDRING operand to create a new key ring in RACF.
  5. Use the RACDCERT command with the CONNECT operand to add the certificate and private key to one or more existing RACF key rings.
Parent topic: IPSec certificate management