Creating SSL Certificates Using RACF as a Certificate Authority

You can use RACF as the certificate authority to create certificates.

In the following steps, a user ID of mftps is used. If the user ID associated with the Platform Server started task is different from this, you must make the changes to the sample commands.

For more information on the exact format of the RACF commands and keywords, see z/OS Security Server (RACF) Command Language Reference.

    Procedure
  1. Create a key ring.
    A key ring is the equivalent of a key database. The key ring name must be specified on the GLOBAL SSL_KEY_DBNAME parameter. You cannot embed any spaces in the key ring name.
    See the following example of RACF command used to create a key ring: 
    RACDCERT ID(mftps) ADDRING(FusionRing)

    This command adds a key ring called FusionRing. This name is case sensitive. When you supply this name to the Platform Server SSL_KEY_DBNAME parameter, you must use exactly the same name (case sensitive) as is used on the ADDRING parameter.

  2. Generate a locally-signed CA certificate for the server.
    This request generates a self-signed certificate that represents the local RACF certificate authority.
    See the following example of RACF command used to create a self-signed CA certificate for the server. The command is listed on multiple lines for clarity purpose. 
    RACDCERT
CERTAUTH
GENCERT 
SUBJECTSDN(CN(‘domain.name’)
		OU(‘organization unit’)
		O(‘Organization’)
		SP(‘State/Province’)
		L(‘City or Locality’)
		C(‘xx’))		xx = 2 byte country name
WITHLABEL(‘ProgCertAuth’)
    This command has no output. The RACDCERT EXPORT command can be used to create a file containing the certificate authority certificate. The RACDCERT GENCERT can be used to generate a certificate.
  3. Generate a locally-signed certificate for the server.
    This request generates a self-signed certificate for a user.
    See the following example of RACF command used to create a self-signed certificate for the server. The command is listed on multiple lines for clarity purpose. 
    RACDCERT ID(mftps)
GENCERT 
SUBJECTSDN(CN(‘user name’)
		OU(‘organization unit’)
		O(‘Organization’)
		SP(‘State/Province’)
		L(‘City or Locality’)
		C(‘xx’))		xx = 2 byte country name
WITHLABEL(‘CFusionLocalCert’)
SIGNWITH(CERTAUTH LABEL(‘ProgCertAuth’))
    This step actually creates a certificate for user mftps.
    Note:
    • The label name defined in the SIGNWITH parameter must match the label name created by the WITHLABEL parameter on the step that created the CA certificate.
    • The label defined in this step by the WITHLABEL parameter must exactly match the label specified in the GLOBAL SSL_DNLABEL or SSL_CLIENT_DNLABEL parameters.
  4. Connect the certificate to the key ring.
    To use the certificate, you must connect it to the key ring.
    See the following example of RACF command used to connect the self-signed certificate to the key ring. The command is listed on multiple lines for clarity purpose. 
    RACDCERT ID(mftps)
CONNECT(ID(mftps) 
LABEL(‘CFusionLocalCert’
RING(FusionRing)
DEFAULT)
    Note: The DEFAULT parameter makes this certificate the default certificate for a key ring. You can override this parameter by using the GLOBAL SSL_DNLABEL and SSL_CLIENT_DNLABEL parameters.
  5. Connect the self-signed CA certificate to the key ring.
    The self-signed CA certificate is created in step 2. You must connect it to the key ring if you want certificates to be authenticated with that CA.
    See the following example of RACF command used to connect the CA certificate to the key ring. The command is listed on multiple lines for clarity purpose. 
    RACDCERT ID(mftps)
CONNECT(certauth 
LABEL(‘ProgCertAuth’)
RING(FusionRing))
    At this point, you have a certificate that can be used to connect to other systems. You also have a certificate authority certificate that can be used to authenticate certificates received from other systems.
  6. Export the CA certificate to a file.
    The self-signed CA certificate is created in step 2. For other systems to accept any certificates signed by this CA, they must have a copy of the CA certificate. This step creates a dataset that contains a Base64 encoded certificate file.
    See the following example of RACF command used to export the CA certificate to a dataset. The command is listed on multiple lines for clarity purpose. 
    RACDCERT CERTAUTH
EXPORT(LABEL(‘ProgCertAuth’))
DSN(z/OS dataset name)
FORMAT(CERTB64)
    The output of this command is a dataset that contains the CA certificate. This certificate must be provided to any system that has to authenticate certificates created by this CA. See the following example of a self-signed CA certificate file. 
    -----BEGIN CERTIFICATE-----                                     
MIICizCCAfSgAwIBAgIBADANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzER
MA8GA1UEChMIUHJvZ2luZXQxIDAeBgNVBAsTF1Byb2dpbmV0IExvY2FsIENlcnRB
dXRoMB4XDTAxMDgyOTIzMDMyMVoXDTAyMDgzMDIzMDMyMFowQjELMAkGA1UEBhMC
VVMxETAPBgNVBAoTCFByb2dpbmV0MSAwHgYDVQQLExdQcm9naW5ldCBMb2NhbCBD
ZXJ0QXV0aDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4m3owLs86h2URKAL
3W4iU5yR55RKDB3PRUjeQkXmRkZtgTRam3Gfr8ygFCr4UEHViE/HjUZeolU2YhMi
/SuoePpfHM8LJVrsYRNxkmJ3ImhBJVlh/yvUniYiuNjuqdQCz6zVMbVOC5lqUnc6
MO28tzsPvcvUwcNMh2QTXfMrGzsCAwEAAaOBkDCBjTBLBglVHQ8BhvhCAQ0EPhM8
R2VuZXJhdGVkIGJ5IHRoZSBTZWN1cmVXYXkgU2VjdXJpdHkgU2VydmVyIGZvciBP
Uy8zOTAgKFJBQ0YpMA4GA1UdDwEB/wQEAwIABjAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRCd6LHrj2lR1ww/09RuM/trNGcOjANBgkqhkiG9w0BAQUFAAOBgQCI
HviGIZgcs8QVPUwWqnlTXUE0CNnKrTRZKrls19XF1mh0/Mj6PtCLPANk5Lyq9tEE
eedn3tjrB8qn72aZAAme9q0t7LiShDcqIqIt9Em2/0PiW98IEPFOSO/YsuJpfv7X
cO5z8hvKyYCcMWnG6PoLyLLh4TRYX3IfLTsYuqARxU==                    
-----END CERTIFICATE-----
    At this point, you have created a certificate authority that can create certificates.
  7. Create a user certificate based on a certificate request.
    If a system requires a certificate, then you must create a certificate request. RACF then takes the certificate request, and creates a certificate for the user. For this step to be completed, you must have created a certificate request in a z/OS file with a RECFM of VB.
    See the following example of RACF command used to create a certificate for a user. The command is listed on multiple lines for clarity purpose. 
    RACDCERT ID(userid)
GENCERT(z/OS cert request DSN)
WITHLABEL(‘CFusionLocalCert’)
SIGNWITH(CERTAUTH LABEL(‘ProgCertAuth’))
    This step actually creates a certificate for user mftps.
    Note: The label name defined in the SIGNWITH parameter must match the label name created by the WITHLABEL parameter that created the CA certificate in step 2. However, the certificate must be exported to a file before it can be sent to a user.
  8. Export the user certificate to a file.
    The self-signed user certificate is created in step 7. For the system to use this certificate, you must have a copy of the certificate. This step creates a dataset that contains a Base64 encoded certificate file.
    See the following example of RACF command used to export the user certificate to a dataset. The command is listed on multiple lines for clarity purpose. 
    RACDCERT id(mftps)
EXPORT(LABEL(‘CFusionLocalCert’))
DSN(z/OS dataset name)
FORMAT(CERTB64)
    The output of this command is a dataset that contains the CA certificate. This certificate must be provided to any system that has to authenticate certificates created by this CA. See the following example of a self-signed user certificate file. 
    -----BEGIN CERTIFICATE-----                                     
MIICujCCAiOgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzER
MA8GA1UEChMIUHJvZ2luZXQxIDAeBgNVBAsTF1Byb2dpbmV0IExvY2FsIENlcnRB
dXRoMB4XDTAxMDgzMTAwMDAwMFoXDTAyMDgzMTIzNTk1OVowcTELMAkGA1UEBhMC
VVMxETAPBgNVBAgTCE5ldyBZb3JrMRQwEgYDVQQHEwtHYXJkZW4gQ2l0eTERMA8G
A1UEChMIUHJvZ2luZXQxFDASBgNVBAsTC0RldmVsb3BtZW50MRAwDgYDVQQDEwdQ
U1NHUkVHMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhiVQR+uODpNC9wPUk
8bzBiGumyQfJPEUxVeU9p+nVZVvkFOuGV9AOHRqXEkRk8TPG7/iVQfmlT4M6nuBD
6kJbtxcVzG5YCuFyhF+xJ7wGkbgenXnW7YCxQLLgH8l3Ao0R4f/4GjEJYqHfnL8X
0+K0OcAyIzQ2k2o5VP7U9XaVwwIDAQABo4GQMIGNMEsGCWCGSAGG+EIBDQQ+EzxH
ZW5lcmF0ZWQgYnkgdGhlIFNlY3VyZVdheSBTZWN1cml0eSBTZXJ2ZXIgZm9yIE9T
LzM5MCAoUkFDRikwHQYDVR0OBBYEFBaYCTQKtdhuX0/kyd7C7mNoajGGMB8GA1Ud
IwQYMBaAFEJ3oseuPaVHXDD/T1G4z+2s0Zw6MA0GCSqGSIb3DQEBBQUAA4GBAAb6
JP75hQOssZrvZxXrCqbr0/m1bK7JzBXY26MgE7qB7QqFO+Eo84sOyD8QjIKMa4fT
gpfBibGYU4aJqHXdcWG1xt/gWU18TgVMkIgsnIDMKtgHr5u8t0AJsIHxY3pHEequ
gL/3+hHqI1G+WYhBNCcHpBdBWhrg04hGNjrIYeFn                        
-----END CERTIFICATE-----
ResultAt this point, you have a created a certificate authority and certificate that can be used to connect to other systems. You also have created a certificate authority certificate that can be used to create certificates for other systems. The certificate processing is completed, and you can now start to use the Platform Server SSL on z/OS.