You can export a signer certificate, which is also called a certificate
authority (CA) certificate, from WebSphere Application Server for z/OS to
a truststore.
Before you begin
WebSphere Application Server, WebSphere Application Server Network
Deployment, or WebSphere Application Server - Express can use the certificate
in the truststore.
About this task
To export the certificate to a truststore, complete
the following steps:
Procedure
- Export the z/OS® signer certificate to a data set by issuing the
following Resource Access Control Facility (RACF) command as a super user
using Time Sharing Option (TSO) option 6:
RACDCERT CERTAUTH EXPORT(LABEL('signer_certificate')) DSN('mvs.dataset')FORMAT(CERTDER)
The signer_certificate variable
is the RACF label name of the certificate that is used by the cell. The signer_certificate can
have either a Base64-encoded ASCII data type or a Binary DER data type. The mvs.dataset variable
is the data set name to which the certificate is exported. You do not need
to pre-allocate this data set because it is created by RACF.
- From a command line on the non-z/OS platform server, type cd and
change to the following directory:
install_root/profiles/default/etc
- From an FTP prompt on the non-z/OS platform server, type cd
bin to change to binary mode.
- From an FTP prompt on the non-z/OS platform server, type the following
command:
get 'mvs.dataset' signer_certificate
- On the non-z/OS platform server, change to the install_root/bin directory
and start the iKeyman utility, which is called ikeyman.bat for
Windows or ikeyman.sh for UNIX.
- Within the iKeyman utility, open the server truststore.
The default server truststore is called the DummyServerTrustFile.jks file.
The file is located in the ${USER_INSTALL_ROOT}/etc/ directory. The
default password is WebAS. It is recommended that you create a new
key file and trust file if you plan to use the certificate in a production
environment.
- Add your exported signer certificate to the server truststore using
the iKeyman utility. Complete the following steps to add your exported signer
certificate:
- Select Signer certificates from the menu.
- Select the correct data type. The signer certificate can have
either a Base64-encoded ASCII data type or a Binary DER data type.
- Specify the fully qualified path and file name of the signer
certificate.
- Within the iKeyman utility, open the client truststore.
The default client truststore is called the DummyClientTrustFile.jks file.
The file is located in the ${USER_INSTALL_ROOT}/etc/ directory. The default
password is WebAS. It is recommended that you create a new key file
and trust file if you plan to use the certificate in a production environment.
- Add your exported signer certificate to the client truststore using
the iKeyman utility. Complete the following steps to add your exported signer
certificate:
- Select Signer certificates from the menu.
- Select the correct data type. The signer certificate can have
either a Base64-encoded ASCII data type or a Binary DER data type.
- Specify the fully qualified path and file name of the signer
certificate.
- Restart the server process to use the new signer certificates.
What to do next
After completing these steps, you can use the exported signer certificates
with the WebSphere Application Server, WebSphere Application Server Network
Deployment, or WebSphere Application Server - Express products.