Perform the following steps to allow logons using X.509 certificates. This
sample setup uses RACF to store the certificates. Note that the RACF steps
must be performed by a security administrator.
- Define the initial certificate related permits to allow the RSE user ID,
STCRSE , access to his RACF key ring.
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(READ) +
ID(stcrse)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(READ) +
ID(stcrse)
SETROPTS RACLIST(FACILITY) REFRESH
- Create a self-signed certificate, with label rdzrse,
to identify the RSE host (both daemon and server) to the client.
RACDCERT ID(stcrse) GENCERT SUBJECTSDN(CN('rdz rse ssl') +
OU('rdz') O('IBM') L('Raleigh') SP('NC') C('US')) +
NOTAFTER(DATE(2017-05-21)) WITHLABEL('rdzrse') +
KEYUSAGE(HANDSHAKE)
- Add the RSE host certificate to a newly created key ring, rdzssl.racf.
Note that if you use a host certificate signed by a Certificate Authority
(CA), the CA certificate must also be added to the key ring.
RACDCERT ID(stcrse) ADDRING(rdzssl.racf)
RACDCERT ID(stcrse) CONNECT(LABEL('rdzrse') RING(rdzssl.racf) +
DEFAULT USAGE(PERSONAL))
This concludes the RACF setup for the RSE host certificate.
- Change the certificate that identifies the Certificate Authority (CA)
used to sign the client certificate to a highly trusted CA certificate. Although
the TRUST status is sufficient for certificate validation, a change to HIGHTRUST
is done, as is it used for the certificate authentication part of the logon
process.
RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST
- Add the CA certificate to the key ring, rdzssl.racf,
so that it's available to validate the client certificates.
RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust CA') +
RING(rdzssl.racf))
This concludes the RACF setup for the
CA certificate.
- Define a resource (format IRR.HOST.hostname ) in the
SERVAUTH class for the host name, CDFMVS08.RALEIGH.IBM.COM,
defined in the HostIdMappings extension of your client certificate.
RDEFINE SERVAUTH IRR.HOST.CDFMVS08.RALEIGH.IBM.COM UACC(NONE)
- Grant the RSE started task user ID, STCRSE ,
access to this resource with READ authority.
PERMIT IRR.HOST.CDFMVS08.RALEIGH.IBM.COM CLASS(SERVAUTH) +
ACCESS(READ) ID(stcrse)
- Activate your changes to the SERVAUTH class. Use the
first command if the SERVAUTH class is not active yet. Use
the second one to refresh an active setup.
SETROPTS CLASSACT(SERVAUTH) RACLIST
or SETROPTS RACLIST(SERVAUTH) REFRESH
This concludes the RACF setup for the HostIdMappings extension.
- Update /etc/rdz/ssl.properties so RSE will know to use
SSL encrypted communication with the client.
enable_ssl=true
# Daemon Properties
daemon_keydb_file=rdzssl.racf
daemon_key_label=rdzrse
# Server Properties
server_keystore_file=rdzssl.racf
server_keystore_type=JCERACFKS
This concludes the RSE configuration setup for SSL.
- Restart the RSE started task to start accepting client logons using X.509
certificates.