Creating SSL Certificates Using RACF as a Certificate Authority
You can use RACF as the certificate authority to create certificates.
In the following steps, a user ID of mftps is used. If the user ID associated with the platform server started task is different from this, you must make the changes to the sample commands.
For more information on the exact format of the RACF commands and keywords, see z/OS Security Server (RACF) Command Language Reference.
Procedure
-
Create a key ring.
A key ring is the equivalent of a key database. The key ring name must be specified on the GLOBAL SSL_KEY_DBNAME parameter. You cannot embed any spaces in the key ring name.See the following example of RACF command used to create a key ring:
RACDCERT ID(mftps) ADDRING(FusionRing)
This command adds a key ring called FusionRing. This name is case sensitive. When you supply this name to the platform server SSL_KEY_DBNAME parameter, you must use exactly the same name (case sensitive) as is used on the ADDRING parameter.
-
Generate a locally-signed CA certificate for the server.
This request generates a self-signed certificate that represents the local RACF certificate authority.See the following example of RACF command used to create a self-signed CA certificate for the server. The command is listed on multiple lines for clarity purpose.
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN(‘domain.name’) OU(‘organization unit’) O(‘Organization’) SP(‘State/Province’) L(‘City or Locality’) C(‘xx’)) xx = 2 byte country name WITHLABEL(‘ProgCertAuth’)
This command has no output. The RACDCERT EXPORT command can be used to create a file containing the certificate authority certificate. The RACDCERT GENCERT can be used to generate a certificate. -
Generate a locally-signed certificate for the server.
This request generates a self-signed certificate for a user.See the following example of RACF command used to create a self-signed certificate for the server. The command is listed on multiple lines for clarity purpose.
RACDCERT ID(mftps) GENCERT SUBJECTSDN(CN(‘user name’) OU(‘organization unit’) O(‘Organization’) SP(‘State/Province’) L(‘City or Locality’) C(‘xx’)) xx = 2 byte country name WITHLABEL(‘CFusionLocalCert’) SIGNWITH(CERTAUTH LABEL(‘ProgCertAuth’))
This step actually creates a certificate for user mftps.Note:- The label name defined in the SIGNWITH parameter must match the label name created by the WITHLABEL parameter on the step that created the CA certificate.
- The label defined in this step by the WITHLABEL parameter must exactly match the label specified in the GLOBAL SSL_DNLABEL or SSL_CLIENT_DNLABEL parameters.
-
Connect the certificate to the key ring.
To use the certificate, you must connect it to the key ring.See the following example of RACF command used to connect the self-signed certificate to the key ring. The command is listed on multiple lines for clarity purpose.
RACDCERT ID(mftps) CONNECT(ID(mftps) LABEL(‘CFusionLocalCert’ RING(FusionRing) DEFAULT)
-
Connect the self-signed CA certificate to the key ring.
The self-signed CA certificate is created in Step 2. You must connect it to the key ring if you want certificates to be authenticated with that CA.See the following example of RACF command used to connect the CA certificate to the key ring. The command is listed on multiple lines for clarity purpose.
RACDCERT ID(mftps) CONNECT(certauth LABEL(‘ProgCertAuth’) RING(FusionRing))
At this point, you have a certificate that can be used to connect to other systems. You also have a certificate authority certificate that can be used to authenticate certificates received from other systems. -
Export the CA certificate to a file.
The self-signed CA certificate is created in Step 2. For other systems to accept any certificates signed by this CA, they must have a copy of the CA certificate. This step creates a data set that contains a Base64 encoded certificate file.See the following example of RACF command used to export the CA certificate to a data set. The command is listed on multiple lines for clarity purpose.
RACDCERT CERTAUTH EXPORT(LABEL(‘ProgCertAuth’)) DSN(z/OS dataset name) FORMAT(CERTB64)
The output of this command is a data set that contains the CA certificate. This certificate must be provided to any system that has to authenticate certificates created by this CA. See the following example of a self-signed CA certificate file.-----BEGIN CERTIFICATE----- MIICizCCAfSgAwIBAgIBADANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzER MA8GA1UEChMIUHJvZ2luZXQxIDAeBgNVBAsTF1Byb2dpbmV0IExvY2FsIENlcnRB dXRoMB4XDTAxMDgyOTIzMDMyMVoXDTAyMDgzMDIzMDMyMFowQjELMAkGA1UEBhMC VVMxETAPBgNVBAoTCFByb2dpbmV0MSAwHgYDVQQLExdQcm9naW5ldCBMb2NhbCBD ZXJ0QXV0aDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4m3owLs86h2URKAL 3W4iU5yR55RKDB3PRUjeQkXmRkZtgTRam3Gfr8ygFCr4UEHViE/HjUZeolU2YhMi /SuoePpfHM8LJVrsYRNxkmJ3ImhBJVlh/yvUniYiuNjuqdQCz6zVMbVOC5lqUnc6 MO28tzsPvcvUwcNMh2QTXfMrGzsCAwEAAaOBkDCBjTBLBglVHQ8BhvhCAQ0EPhM8 R2VuZXJhdGVkIGJ5IHRoZSBTZWN1cmVXYXkgU2VjdXJpdHkgU2VydmVyIGZvciBP Uy8zOTAgKFJBQ0YpMA4GA1UdDwEB/wQEAwIABjAPBgNVHRMBAf8EBTADAQH/MB0G A1UdDgQWBBRCd6LHrj2lR1ww/09RuM/trNGcOjANBgkqhkiG9w0BAQUFAAOBgQCI HviGIZgcs8QVPUwWqnlTXUE0CNnKrTRZKrls19XF1mh0/Mj6PtCLPANk5Lyq9tEE eedn3tjrB8qn72aZAAme9q0t7LiShDcqIqIt9Em2/0PiW98IEPFOSO/YsuJpfv7X cO5z8hvKyYCcMWnG6PoLyLLh4TRYX3IfLTsYuqARxU== -----END CERTIFICATE-----
At this point, you have created a certificate authority that can create certificates. -
Create a user certificate based on a certificate request.
If a system requires a certificate, then you must create a certificate request. RACF then takes the certificate request, and creates a certificate for the user. For this step to be completed, you must have created a certificate request in a z/OS file with a RECFM of VB.See the following example of RACF command used to create a certificate for a user. The command is listed on multiple lines for clarity purpose.
RACDCERT ID(userid) GENCERT(z/OS cert request DSN) WITHLABEL(‘CFusionLocalCert’) SIGNWITH(CERTAUTH LABEL(‘ProgCertAuth’))
This step actually creates a certificate for user mftps.Note: The label name defined in the SIGNWITH parameter must match the label name created by the WITHLABEL parameter that created the CA certificate in Step 2. However, the certificate must be exported to a file before it can be sent to a user. -
Export the user certificate to a file.
The self-signed user certificate is created in Step 7. For the system to use this certificate, you must have a copy of the certificate. This step creates a data set that contains a Base64 encoded certificate file.See the following example of RACF command used to export the user certificate to a data set. The command is listed on multiple lines for clarity purpose.
RACDCERT id(mftps) EXPORT(LABEL(‘CFusionLocalCert’)) DSN(z/OS dataset name) FORMAT(CERTB64)
The output of this command is a data set that contains the CA certificate. This certificate must be provided to any system that has to authenticate certificates created by this CA. See the following example of a self-signed user certificate file.-----BEGIN CERTIFICATE----- MIICujCCAiOgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzER MA8GA1UEChMIUHJvZ2luZXQxIDAeBgNVBAsTF1Byb2dpbmV0IExvY2FsIENlcnRB dXRoMB4XDTAxMDgzMTAwMDAwMFoXDTAyMDgzMTIzNTk1OVowcTELMAkGA1UEBhMC VVMxETAPBgNVBAgTCE5ldyBZb3JrMRQwEgYDVQQHEwtHYXJkZW4gQ2l0eTERMA8G A1UEChMIUHJvZ2luZXQxFDASBgNVBAsTC0RldmVsb3BtZW50MRAwDgYDVQQDEwdQ U1NHUkVHMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhiVQR+uODpNC9wPUk 8bzBiGumyQfJPEUxVeU9p+nVZVvkFOuGV9AOHRqXEkRk8TPG7/iVQfmlT4M6nuBD 6kJbtxcVzG5YCuFyhF+xJ7wGkbgenXnW7YCxQLLgH8l3Ao0R4f/4GjEJYqHfnL8X 0+K0OcAyIzQ2k2o5VP7U9XaVwwIDAQABo4GQMIGNMEsGCWCGSAGG+EIBDQQ+EzxH ZW5lcmF0ZWQgYnkgdGhlIFNlY3VyZVdheSBTZWN1cml0eSBTZXJ2ZXIgZm9yIE9T LzM5MCAoUkFDRikwHQYDVR0OBBYEFBaYCTQKtdhuX0/kyd7C7mNoajGGMB8GA1Ud IwQYMBaAFEJ3oseuPaVHXDD/T1G4z+2s0Zw6MA0GCSqGSIb3DQEBBQUAA4GBAAb6 JP75hQOssZrvZxXrCqbr0/m1bK7JzBXY26MgE7qB7QqFO+Eo84sOyD8QjIKMa4fT gpfBibGYU4aJqHXdcWG1xt/gWU18TgVMkIgsnIDMKtgHr5u8t0AJsIHxY3pHEequ gL/3+hHqI1G+WYhBNCcHpBdBWhrg04hGNjrIYeFn -----END CERTIFICATE-----
Result
Copyright © Cloud Software Group, Inc. All rights reserved.