Configuring SSL server authentication on the CICS server

To complete this task you use IBM® RACF® commands to create a CA certificate, a signed personal certificate, and a keyring on the CICS® server.

You perform this task by issuing ISPF RACDCERT (IBM RACF digital certificate) commands. You use RACDCERT commands to create and maintain digital certificates, and create the keyrings that are the repositories for digital certificates. These sample commands generate RACF certificates which use an SHA-256 hashing algorithm for signing. For information on other options see the topic RACDCERT GENCERT (Generate certificate) in the IBM z/OS® Security Server RACF Command Language Reference.

  1. Create a CA certificate that is self-signed on the server (in IBM RACF). Enter the following command on one line:
    RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU('CTG TEST') O('IBM') T('CTG CA CERT') C('GB')) 
SIZE(2048) KEYUSAGE(CERTSIGN) WITHLABEL('CTG CA CERT')
  2. Refresh the IBM RACF class: 
    SETR RACLIST(DIGTCERT) REFRESH
  3. Check that the CA certificate has been created by verifying that it exists in the output from listing the DIGTCERT class:
    1. From the ISPF main menu, enter R to display the RACF dialog.
    2. Press Enter.
    3. From the RACF - SERVICES OPTION MENU panel, enter 2 to display the RACF - GENERAL RESOURCE PROFILES panel. Press Enter.
    4. From the RACF - GENERAL RESOURCE PROFILE SERVICES panel, enter 8 to display the profile contents. Press Enter.
    5. From the RACF - GENERAL RESOURCE SERVICES - DISPLAY panel, type the class name DIGTCERT into the CLASS field, leaving the Profile field blank. Press Enter.
    6. From the next RACF - GENERAL RESOURCE SERVICES - DISPLAY panel, complete the following steps:
      1. Ensure that the CLASS field contains the class name DIGTCERT.
      2. Leave the PROFILE field blank.
      3. In the DISCRETE field, enter Yes, to select the profile type.
      4. In the ACCESS LIST field, enter Yes to select the access list option.
      5. Press Enter.

    RACF now displays a list of the selected classes; check that the list contains the DIGTCERT class that you have just created.

  4. List the certificate:
    RACDCERT CERTAUTH LIST(LABEL('CTG CA CERT'))
  5. Create a personal certificate on the server and sign it with your CA certificate. Enter the following command on one line::
    RACDCERT ID(CTGUSER) GENCERT SUBJECTSDN(OU('CTG TEST') O('IBM') T('CTG PERSONAL CERT') C('GB')) 
SIZE(2048) WITHLABEL('CTG PERSONAL CERT') SIGNWITH(CERTAUTH LABEL('CTG CA CERT'))
    CTGUSER must be a valid RACF user ID.
  6. Refresh the RACF class:
    SETR RACLIST(DIGTCERT) REFRESH
  7. Create a keyring where certificates are stored:
    RACDCERT ADDRING(CTGSERVERKEYRING) ID(CTGUSER)
  8. Add the CA certificate and personal certificate to the keyring:
    1. Add the CA certificate to the keyring:
      RACDCERT ID(CTGUSER) CONNECT(CERTAUTH LABEL('CTG CA CERT') RING(CTGSERVERKEYRING) USAGE(CERTAUTH))
    2. Add the personal certificate to the keyring:
      RACDCERT ID(CTGUSER) CONNECT(LABEL('CTG PERSONAL CERT') RING(CTGSERVERKEYRING) DEFAULT USAGE(PERSONAL))
  9. List the keyring to confirm that it contains the certificates:
    RACDCERT LISTRING(CTGSERVERKEYRING) ID(CTGUSER)
    Here is an example of the output generated by this command:
    
Ring:
     >CTGSERVERKEYRING<
Certificate Label Name               Cert Owner    USAGE       DEFAULT
----------------------------------   -----------   -----       -------
CTG CA CERT                          CERTAUTH      CERTAUTH    NO
CTG PERSONAL CERT                    ID(CTGUSER)   PERSONAL    YES
  10. Export the personal certificate to a file on the server:
    RACDCERT ID(CTGUSER) EXPORT(LABEL('CTG PERSONAL CERT')) DSN('CTGUSER.PERSONAL.CERT') FORMAT(CERTB64)
    FORMAT(CERTB64) specifies that the certificate is stored in ASCII format.
  11. Use ISPF 3.4 to view the certificate.

You have now configured SSL server authentication on the CICS server.