RACF FACILITY Class

Ensure that the RACF certificates and key rings meet the corresponding requirements, and the authority levels have been obtained for administering them.

Individuals who administrate certificates and key rings must have the necessary authority levels granted in the following FACILITY class profiles:
  • IRR.DIGTCERT.CONNECT
  • IRR.DIGTCERT.EXPORT
  • IRR.DIGTCERT.EXPORTKEY
  • IRR.DIGTCERT.KEYRING
  • IRR.DIGTCERT.LIST
  • IRR.DIGTCERT.LISTRING
  • IRR.PASSWORD.RESET
  • IRR.PROGRAM.SIGNATURE.VERIFICATION

In many of the previous profiles, administrators require higher authority levels than end users. Some profiles do not require end users to have any authorization. To ensure that the proper authorization levels are assigned following the intended usage, follow the guidelines outlined in IBM’s Security Server (RACF) documentation for the RACDCERT command.

Note: In many cases, during the installation and installation verification of the EMS Client, it is useful for the installation team to have the ability to verify that the certificates and rings have been installed as intended, either for internal verification or at the direction of TIBCO Support. If this capability is desired and the installation team members can log on with the user ID used to run the EMS Client, they must have READ authority to IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING. Otherwise, they need UPDATE authority to list the certificates and the rings.

RACF Key Rings

RACF key rings must meet the following requirements:
  • The EMS client (batch job or started task) has a key ring.
  • The user assigned to the job or started task can read the key ring.
  • The EMS client has a certificate on the key ring.
  • The key ring includes the certificate authority (CA or certauth) certificate that is used to sign the client certificate.
  • The key ring name is specified in the ssl_ring parameter in the startup JCL.

RACF Certificates

RACF certificates must meet the following requirements:
  • The EMS client has a certificate uniquely identifying it and its user.
  • The EMS client certificate is exported and installed on the EMS Server.
  • The certificate is signed by the same certauth certificate that is placed on the client key ring.
  • The certificate label as given in the WITHLABEL parameter is specified in the ssl_label parameter in the startup JCL.

Sample JCL

The following sample assumes that the user intends to generate the certificate by using the RACF GENCERT function. This is one of the methods that can generate certificates used by IBM System SSL.

  • Data Set: <USERHLQ>.JCL
  • Member: SSLGCERT
Note that the following conditions:
  • SIZE must be determined by usage. IBM places restrictions on size depending on where the certificate is stored and how it is used. SIZE is also used to determine the strength of the key. For example, a size of 1024 results in a medium-strength key.
  • NOTAFTER must be a date that does not exceed the ending date of the signing CA or certauth certificate. For example, if the ending date of the CA is 2013-01-01, NOTAFTER must be 2013-01-01 or earlier. The GENCERT function fails otherwise.