To create a RACF® key ring, you must first generate a RACF CA certificate and a personal
certificate for WebSphere® Message
Broker, then connect
the certificates to the key ring.
Each RACF key
ring has its own name up to 237 characters long and is associated
with a user ID. A RACF key
ring is connected to a set of personal certificates and trusted certificates
that are stored in the RACF database.
The RACF command RACDCERT is
used to create and delete key rings and to connect or disconnect certificates
to the key rings. RACF key
rings are also called System Authorization Facility (SAF) key rings.
SAF is an open standard to access security services.
To create
a RACF key ring to be used
by AT-TLS on behalf of WebSphere Message
Broker,
complete the following steps.
- Generate a RACF certificate
authority (CA) certificate.
You can use RACF as a CA to generate and sign personal certificates
for their internal systems or applications. This certificate must
be created once, and it is used to sign every personal certificate
that is generated by RACF.
The following example shows how to use a RACF command to generate a RACF CA certificate.
RACDCERT CERTAUTH GENCERT +
SUBJECTSDN(CN('MQRootCA') +
OU('ISSW') +
O('IBM') +
L('HURSLEY') SP('WINCHESTER') C('GB')) +
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN CERTSIGN) +
WITHLABEL('MQRootCA') +
NOTAFTER(DATE(2020/01/30)) +
SIZE(1024)
- Generate a personal certificate for WebSphere Message
Broker.
This certificate
identifies a specific instance of
WebSphere Message
Broker.
This certificate is presented to the partner application during the
SSL handshake. This certificate must be associated with the user ID
under which
WebSphere Message
Broker is running.
The following example shows how to use a RACF command to generate the personal certificate
for a broker called WI02BRK that is running under user ID WI02USR.
RACDCERT ID(WI02USR) +
GENCERT SUBJECTSDN(CN('WI02BRK') +
OU('ISSW') O('IBM') +
L('HURSLEY') SP('WINCHESTER') C('GB')) +
WITHLABEL('WI02BRK') SIZE(1024) +
SIGNWITH(CERTAUTH LABEL('MQRootCA')) +
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) +
NOTAFTER(DATE(2012/01/30))
- Create a RACF key
ring and connect the certificates to the key ring.
The RACF key ring must be associated
with a user ID (in this case, the
WebSphere Message
Broker user
ID). The key ring must have a name (in this case, the same name as
the broker), and the
WebSphere Message
Broker personal
certificate must be connected to the key ring. The following example
shows how to use a RACF command
to create a key ring and connect the
WebSphere Message
Broker personal
certificate.
RACDCERT ID(WI02USR) ADDRING(WI02BRK)
RACDCERT ID(WI02USR) +
CONNECT(ID(WI02USR) LABEL('WI02BRK') RING(WI02BRK))
RACDCERT ID(WI02USR) LISTRING(WI02BRK)
For RACF to validate a partner application
certificate, you must import the signer certificate of the CA that
generated and signed the personal certificate of the partner application.
Typically, this certificate is extracted from the partner application
keystore, transferred to
z/OS® as
a data set (WI02USR.VSR1BK.DER), imported to RACF, and connected to the RACF key ring as signer (trusted) certificate.
The following example shows how to use a RACF command to add a signer certificate to RACF and connect it to the RACF key ring.
RACDCERT CERTAUTH ADD('WI02USR.VSR1BK.DER') +
WITHLABEL('VSR1BK') TRUST
RACDCERT CERTAUTH LIST(LABEL('VSR1BK')
RACDCERT ID(WI02USR) +
CONNECT(CERTAUTH LABEL('VSR1BK') RING(WI02BRK))
RACDCERT ID(WI02USR) LISTRING(WI02BRK)
Next: Configure and activate
the policy agent by following the instructions in
Configuring and activating the policy agent (PAGENT).