Secure servers require the ability to retrieve the certificate
that is associated with a particular server, along with the ability
to perform operations with the private key of the server, such as
establishing an SSL session. Assume that we have a secure server which
has the distinguished name of
OU=Inventory,O=XYZZY,C=US and
a domain name of
xyzzy.com. This server executes
on
z/OS with
the user ID INVSERV. The steps to implement a server certificate are:
- Generate a self-signed certificate for the server. This certificate
is associated with the user ID that is associated with the secure
server.
RACDCERT ID(INVSERV)
GENCERT
SUBJECTSDN(CN('xyzzy.com')
OU('Inventory')
O('XYZZY')
C('US'))
WITHLABEL('Inventory Server')
Note: Some SSL applications
require that the common name (CN) be equal to the domain name.
- Create a certificate request to send to your chosen certificate
authority. The certificate request that we are creating is based on
the certificate that we created in the previous step. Place this certificate
into the data set 'MARKN.INVSERV.GENREQ'.
RACDCERT ID(INVSERV)
GENREQ(LABEL('Inventory Server'))
DSN('MARKN.INVSERV.GENREQ')
- Send the certificate request to the certificate authority. The
certificate request is in base64-encoded text. Typically, the request
is sent to the certificate authority by using "cut and paste" to place
the certificate request into an e-mail that is sent to the certificate
authority.
Note: RACF® is not
involved with this step.
- The certificate authority validates the certificate. If the certificate
is approved by the certificate authority, it is signed by the certificate
authority, and returned to the requestor.
Note: RACF is not involved with this step.
- Receive the returned certificate into a data set (for example,'MARKN.INVSERV.CERT').
The returned certificate is in base64-encoded text. This can be done
with "cut and paste", FTP, or other technique.
Note: RACF is not involved with this step.
- Replace the self-signed certificate with the certificate signed
by the certificate authority. Note that the certificate is only replaced
if the user ID that is specified as the ID value on the RACDCERT ADD
command is the same user ID that was specified when the certificate
was created. If the ID is not the same, then the certificate is added
anew.
RACDCERT ID(INVSERV)
ADD('MARKN.INVSERV.CERT')
WITHLABEL('Inventory Server')
- Connect the certificate to INVSERV's existing key ring and mark
it as the default certificate.
RACDCERT ID(INVSERV)
CONNECT(LABEL('Inventory Server')
RING(RING01)
DEFAULT)
- Assuming the chosen certificate authority certificate has already
been added to RACF under CERTAUTH
with the label of 'External Inventory CA', connect
it to the key ring as well. This completes the certificate hierarchy
from root to inventory server.
RACDCERT ID(INVSERV)
CONNECT(CERTAUTH LABEL('External Inventory CA')
RING(RING01))
- Give user INVSERV permission to read its own key
ring by administering a profile in either the FACILITY or the RDATALIB
class.
- When using the FACILITY class:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(INVSERV) ACCESS(READ)
- When using the RDATALIB class:
RDEFINE RDATALIB INVSERV.RING01.LST UACC(NONE)
PERMIT INVSERV.RING01.LST CLASS(RDATALIB) ID(INVSERV) ACCESS(READ)
- Configure INVSERV's software to use RING01 for
SSL. For example, for z/OS® HTTP
Server, set the keyFile directive to KeyFile
RING01 SAF.
Note: RACF is
not involved with this step.
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014