To create a RACF® key
ring, you must first generate a RACF CA
certificate and a personal certificate for IBM® Integration Bus, then connect the certificates
to the key ring.
About this task
Each RACF key ring
has its own name up to 237 characters long and is associated with
a user ID. A RACF key ring
is connected to a set of personal certificates and trusted certificates
that are stored in the RACF database.
The RACF command RACDCERT is
used to create and delete key rings and to connect or disconnect certificates
to the key rings. RACF key
rings are also called System Authorization Facility (SAF) key rings.
SAF is an open standard to access security services.
To create
a RACF key ring to be used
by AT-TLS on behalf of IBM Integration Bus,
complete the following steps.
Procedure
- Generate a RACF certificate
authority (CA) certificate.
You can use RACF as a CA to generate and sign personal certificates
for their internal systems or applications. This certificate must
be created once, and it is used to sign every personal certificate
that is generated by RACF.
The following example shows how to use a RACF command to generate a RACF CA certificate.
RACDCERT CERTAUTH GENCERT +
SUBJECTSDN(CN('MQRootCA') +
OU('ISSW') +
O('IBM') +
L('HURSLEY') SP('WINCHESTER') C('GB')) +
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN CERTSIGN) +
WITHLABEL('MQRootCA') +
NOTAFTER(DATE(2020/01/30)) +
SIZE(1024)
- Generate a personal certificate for IBM Integration Bus.
This certificate
identifies a specific instance of
IBM Integration Bus.
This certificate is presented to the partner application during the
SSL handshake. This certificate must be associated with the user ID
under which
IBM Integration Bus is running.
The following example shows how to use a RACF command to generate the personal certificate
for an integration node called WI02BRK that is running under user
ID WI02USR.
RACDCERT ID(WI02USR) +
GENCERT SUBJECTSDN(CN('WI02BRK') +
OU('ISSW') O('IBM') +
L('HURSLEY') SP('WINCHESTER') C('GB')) +
WITHLABEL('WI02BRK') SIZE(1024) +
SIGNWITH(CERTAUTH LABEL('MQRootCA')) +
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) +
NOTAFTER(DATE(2012/01/30))
- Create a RACF key
ring and connect the certificates to the key ring.
The RACF key ring must be associated
with a user ID (in this case, the
IBM Integration Bus user
ID). The key ring must have a name (in this case, the same name as
the integration node), and the
IBM Integration Bus personal
certificate must be connected to the key ring. The following example
shows how to use a RACF command
to create a key ring and connect the
IBM Integration Bus personal
certificate.
RACDCERT ID(WI02USR) ADDRING(WI02BRK)
RACDCERT ID(WI02USR) +
CONNECT(ID(WI02USR) LABEL('WI02BRK') RING(WI02BRK))
RACDCERT ID(WI02USR) LISTRING(WI02BRK)
For RACF to validate a partner application
certificate, you must import the signer certificate of the CA that
generated and signed the personal certificate of the partner application.
Typically, this certificate is extracted from the partner application
keystore, transferred to
z/OS® as
a data set (WI02USR.VSR1BK.DER), imported to RACF, and connected to the RACF key ring as signer (trusted) certificate.
The following example shows how to use a RACF command to add a signer certificate to RACF and connect it to the RACF key ring.
RACDCERT CERTAUTH ADD('WI02USR.VSR1BK.DER') +
WITHLABEL('VSR1BK') TRUST
RACDCERT CERTAUTH LIST(LABEL('VSR1BK')
RACDCERT ID(WI02USR) +
CONNECT(CERTAUTH LABEL('VSR1BK') RING(WI02BRK))
RACDCERT ID(WI02USR) LISTRING(WI02BRK)
What to do next
Configure and activate the policy agent by following the
instructions in Configuring and activating the policy agent (PAGENT).