RACF FACILITY Class

If you are assigned the tasks of administering certificates and key rings, you must have the necessary authority levels granted in the FACILITY class profiles.

The FACILITY class profiles are as follows:
  • IRR.DIGTCERT.CONNECT
  • IRR.DIGTCERT.EXPORT
  • IRR.DIGTCERT.EXPORTKEY
  • IRR.DIGTCERT.KEYRING
  • IRR.DIGTCERT.LIST
  • IRR.DIGTCERT.LISTRING
  • IRR.PASSWORD.RESET
  • IRR.PROGRAM.SIGNATURE.VERIFICATION

In many of these profiles, administrators require higher authority levels than end users; some profiles do not require end users to have any authorization. To ensure that the proper authorization levels are assigned in accordance with the intended usage, follow the guidelines outlined in IBM’s Security Server (RACF) documentation for the RACDCERT command.

Note: In many cases, during the installation and verification of the EMS client, it is useful for the installation team to be able to verify that the certificates and rings have been installed as intended, either for internal verification or at the direction of TIBCO Support. If this capability is desired and the installation team members can log in with the user ID used to run the EMS client, they must have the READ authority to IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING. Otherwise, they have to use the UPDATE authority to list the certificates and the rings.

RACF Key Rings

RACF key rings must meet the following requirements:
  • The EMS client (batch job or started task) has a key ring.
  • The user assigned to the job or started task can read the key ring.
  • The EMS client has a certificate on the key ring.
  • The key ring includes the certificate authority (CA or certauth) certificate that was used to sign the client certificate.
  • The key ring name is specified in the ssl_ring parameter in the startup JCL.

RACF Certificates

RACF certificates must meet the following requirements:
  • The EMS client has a certificate uniquely identifying itself and its user.
  • The EMS client certificate is exported and installed on the EMS server.
  • The certificate is signed by the same certauth certificate that was placed on the client key ring.
  • The certificate label as given in the WITHLABEL parameter is specified in the ssl_label parameter in the startup JCL.

Sample JCL

An example JCL is provided as follows:

Data Set: <USERHLQ>.JCL

Member: SSLGCERT

This sample assumes that the user wants to generate the certificate using the RACF GENCERT function. This is one of several methods that can generate certificates usable by IBM System SSL.

Note the following conditions:
  • SIZE must be determined by usage. IBM places restrictions on size depending on where the certificate is stored and how it is used. SIZE is also used to determine the strength of the key. For example, a size of 1024 results in a medium-strength key.
  • NOTAFTER must be a date that does not exceed the ending date of the signing CA or certauth certificate. For example, if the end date of the CA is 2013-01-01, NOTAFTER must be 2013-01-01 or earlier. The GENCERT function fails otherwise.