Sample setup for supporting X.509 certificate logons

Perform the following steps to allow logons using X.509 certificates. This sample setup uses RACF to store the certificates. Note that the RACF steps must be performed by a security administrator.
  1. Define the initial certificate related permits to allow the RSE user ID, STCRSE , access to his RACF key ring.
    RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
    RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
    PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(READ) +
      ID(stcrse)
    PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(READ) +
      ID(stcrse)
    SETROPTS RACLIST(FACILITY) REFRESH
  2. Create a self-signed certificate, with label rdzrse, to identify the RSE host (both daemon and server) to the client.
    RACDCERT ID(stcrse) GENCERT SUBJECTSDN(CN('rdz rse ssl') +
      OU('rdz') O('IBM') L('Raleigh') SP('NC') C('US')) +
      NOTAFTER(DATE(2017-05-21)) WITHLABEL('rdzrse') +
      KEYUSAGE(HANDSHAKE)
  3. Add the RSE host certificate to a newly created key ring, rdzssl.racf. Note that if you use a host certificate signed by a Certificate Authority (CA), the CA certificate must also be added to the key ring.
    RACDCERT ID(stcrse) ADDRING(rdzssl.racf)
    RACDCERT ID(stcrse) CONNECT(LABEL('rdzrse') RING(rdzssl.racf) +
      DEFAULT USAGE(PERSONAL))

    This concludes the RACF setup for the RSE host certificate.

  4. Change the certificate that identifies the Certificate Authority (CA) used to sign the client certificate to a highly trusted CA certificate. Although the TRUST status is sufficient for certificate validation, a change to HIGHTRUST is done, as is it used for the certificate authentication part of the logon process.
    RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST
  5. Add the CA certificate to the key ring, rdzssl.racf, so that it's available to validate the client certificates.
    RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust CA') +
      RING(rdzssl.racf))

    This concludes the RACF setup for the CA certificate.

  6. Define a resource (format IRR.HOST.hostname ) in the SERVAUTH class for the host name, CDFMVS08.RALEIGH.IBM.COM, defined in the HostIdMappings extension of your client certificate.
    RDEFINE SERVAUTH  IRR.HOST.CDFMVS08.RALEIGH.IBM.COM  UACC(NONE)
  7. Grant the RSE started task user ID, STCRSE , access to this resource with READ authority.
    PERMIT IRR.HOST.CDFMVS08.RALEIGH.IBM.COM  CLASS(SERVAUTH) +
      ACCESS(READ) ID(stcrse)
  8. Activate your changes to the SERVAUTH class. Use the first command if the SERVAUTH class is not active yet. Use the second one to refresh an active setup.
    SETROPTS CLASSACT(SERVAUTH) RACLIST
    or
    SETROPTS RACLIST(SERVAUTH) REFRESH

    This concludes the RACF setup for the HostIdMappings extension.

  9. Update /etc/rdz/ssl.properties so RSE will know to use SSL encrypted communication with the client.
    enable_ssl=true
    
    # Daemon Properties
    daemon_keydb_file=rdzssl.racf
    daemon_key_label=rdzrse
    
    # Server Properties
    server_keystore_file=rdzssl.racf
    server_keystore_type=JCERACFKS

    This concludes the RSE configuration setup for SSL.

  10. Restart the RSE started task to start accepting client logons using X.509 certificates.