It is often necessary to export certificates created in RACF and
import them into a distributed WebSphere Application Server. Reasons for doing
this are that you are preparing the distributed WebSphere Application Server
for federation into an ND cell on z/OS or that you are using RACF as the certificate
authority (CA) to issue certificates used by the distributed WebSphere Application
Server cell.
Before you begin
You must have an existing CA certificate and server certificate from
RACF or other security product that you want to export.
About this task
Complete the following steps to perform the export of RACF certificates
to the WebSphere Application Server and using the adminstrative console import
those certificates and install them:
Procedure
- Export the CA certificate without a password, in PKCS#7 binary
format (DER).
- Export the server certificate with a password, in PKCS#12 binary
format (P12).
- Perform the export by running a job as illustrated below:
Note: You run this job with a user who has authority to update RACF.
//KEARNEYB JOB CLASS=A,MSGCLASS=O
//STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=20
//SYSTSPRT DD SYSOUT=O
//SYSTSIN DD *
RACDCERT CERTAUTH EXPORT(LABEL('WebSphereCA.YY')) -
DSN('KEARNEY.YYCA.DER') FORMAT(CERTDER)
RACDCERT ID(YYACRU) EXPORT(LABEL('DefaultWASCert.YYSR')) -
DSN('KEARNEY.YYCERT.P12') FORMAT(PKCS12DER) PASSWORD('secret')
/*
- Use the file transfer program (FTP) in binary mode to transfer
the files from z/OS to the distributed WebSphere Application Server.
- Login to the distributed WebSphere Application Server administrative
console.
- Click Security > SSL certificate and key management > SSL configurations.
- Click on NodeDefaultSSLSettings. Under "Related items", click Key
stores and certificates. NodeDefaultKeyStore and NodeDefaultTrustStore
are files that contain the certificates used by this application server. You
can administer these files through the administrative console.
- Click on NodeDefaultTrustStore. The NodeDefaultTrustStore
contains the trusted signer certificates used by the application server. These
include the CA certificate that signed the server certificate, or the CA certificates
of other servers that this application server can communicate with.
- Under Additional properties, click Signer certificates
The default certificate is installed in the NodeDefaultTrustStore because
it is self signed. The dummyclientsigner and dummyserversigner certificates
are there also.
- Prepare to add the exported CA certificate. Click the Add button.
- Specify an alias (a label) for the certificate that you are importing.
The file name points to the location of the CA certificate that you
transferred (FTP) to the application server. The data type must be binary
DER data because you exported the certificate in binary.
- Click the Apply button You have just imported
the CA certificate.
- Click Save and synchronize this change to the server and
any nodes. The imported CA certificate now appears in the list
of the NodeDefaultTrustStore. After restarting the application server, the
server now trusts certificates issued by that imported CA.
- Click on NodeDefaultKeyStore
NodeDefaultKeyStore
contains the personal certificate that the application server presents to
clients in the SSL handshake.
Note: You are installing the personal certificate
that you exported from RACF. Although it's a personal certificate, it's often
referred to as a server certificate, because it represents the identity of
the server.
- Under Additional Properties, click Personal certificates
This is the personal certificate currently used by the application server
and was generated as part of the cell configuration process.
- Click default to see more detail. The 'default'
certificate is self signed. That is, it is signed using its own private key.
This certificate does not have an associated certificate authority (CA) certificate.
- Click the browser back button to return to the previous
page.
- Click Import You are now ready to replace the
default certificate with the personal certificate you exported from RACF and
transferred (FTP) to the application server.
- Click the Get key file aliases button. The Key
file name field identifies the location of the exported .p12 file. The Type
field is for PKCS12. The Key file password filed is the password you used
to export the certificate from RACF to the application server.
- Select a certificate alias from the Certificate alias to import
drop down list and specify in the Imported certificate alias field a name
for the imported certificate. The Certificate alias to import
drop down list will have the alias (label) of the certificate in the .p12
file. The Imported certificate alias field is used for whatever you would
like to call the certificate.
- Click save and synchronize this change to the application
server and any nodes in the configuration. The server certificate
now appears in the list of personal certificates.
Note: Servers only read their
key stores when they start up, so the cell must be restarted for the new certificates
to be used by WebSphere Application Server.
Results
You have exported certificates created in RACF and imported them into
a distributed WebSphere Application Server.