IBM Support

ZWSTECHNOTE : DWCZOS : Creating / Installing the certificates for DWC 10.2.1 or higher on z/OS

How To


Summary

The purpose of this technote is to provide some additional details for the section in chapter 8 of the Planning and Installation Guide
"Installing a Dynamic Workload Console server."
( https://www.ibm.com/docs/en/SSGSPN_10.2.2/eqqi1mst.pdf )

Objective

Create p12 certificates for DWC installation  on z/OS

Steps

NOTE:  This technote will cover the certificate  requirements to do the installation of the DWC on z/OS  ( dwcinst.sh script).  To secure the connection between the DWC and zWS server task in addition to this, refer to technote https://www.ibm.com/support/pages/node/7156239

( ZWSTECHNOTE : DWCZOS : Secure connection between zconnector / DWC on zWS server task using SSL )

Steps to follow:

Step 1: Create a certificate on z/OS customizing and using the sample jcl attached  (certcstm.txt)

NOTE: The owner of the ring (the userid which runs the sample JCL) must also be the userid of the controller and

the server task which connects to the zconnector

Step 2: Export the z/OS certificate using the RACF utility panel ICHP00   ( RACF - SERVICES OPTION MENU   )option  7 --> 1 --> 4 (Write a certificate to a data set) [be sure to allocate the dataset beforehand]. Example:

Data Set Name . . . . : TWSTST.TWSV.ZOSCSTM.CERT   
 Space units . . . . . TRKS                                
 Primary quantity  . . 5                                      
 Secondary quantity    1                                     
 Directory blocks  . . 0                   
 Record format . . . . VB                                                     
 Record length . . . . 84                                                     
 Block size  . . . . . 27998      

Step 3: create Distributed Certificates on some distributed environment like UNIX, using the following  procedure.  Note this distributed machine is ONLY for running openSSL as this cannot be run on z/OS.  After the installation this distributed environment does not have to  be part of the DWC configuration:

  • openssl genrsa -out ca.key 2048 
  • or
  • openssl genrsa -out ca.key 4096
  • openssl req -x509 -new -nodes -key ca.key -subj "/CN=<common_name>" -days nnnnn   -out ca.crt
  • NOTE:   nnnnn can be whatever value you want, for example 3650 for ten years  
  • NOTE:   Once the certificates are created, the expiration date ( expiry ) cannot be modified. The certificates would need to be  created again to have a different expiration date 
  • openssl genrsa -des3 -out tls.key 2048 
  • or
  • openssl genrsa -des3 -out tls.key 4096
  • openssl req -new -key tls.key -out tls.csr 
  • openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days nnnn -out tls.crt -extfile /etc/pki/tls/openssl.cnf -extensions v3_req
  • Put the ca.crt, tls.crt and tls.key into the ssl folder to be used for installation         

Step 4: Transfer (FTP) the certificate from z/OS to the Distributed environment in ASCII mode [be sure to be in ASCII mode] 

Step 5 : Convert all the certificates in p12 format, in the folder pointed from sslkeysfolder there should be two files called respectively TWSServerKeyFile.p12 and TWSServerTrustFile.p12 in which there are already your certificates. See attached file for details:

NOTE:  These file names must NOT be modified, use exactly as shown 

crt_to_p12.txt

Step 6: Transfer (FTP) the certificates (ca.crt and tls.crt) from step 3, from Distributed to z/OS environment in ASCII mode [be sure to be in ASCII mode and to have allocated the datasets beforehand as in step 3] 

Step 7: Transfer (FTP) the certificate database to z/OS  (see attached file DWC.FTP_.PROCESS.txt )

Step 8: Import the Distributed certificates from step 6 in the RING created in step 1 customizing and using the sample jcl attached for both distributed certificates  (certpro.txt)

Step 9:  Install the DWC in the usual way with scripts configureDb.sh and dwcinst.sh, be sure to add the parameters

--sslkeysfolder and --sllpassword

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSWL3F","label":"IBM Z Workload Scheduler"},"ARM Category":[{"code":"a8m0z0000001gqHAAQ","label":"ZOS-\u003EDWC-\u003Ezliberty technote needed"}],"ARM Case Number":"TS000000000","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 October 2024

UID

ibm17154608