You can import a signer certificate, which is also called a certificate
authority (CA) certificate, from a truststore on a non-z/OS platform server
to a z/OS keyring.
About this task
To import a certificate to a z/OS keyring,
complete the following steps:
Procedure
- On the non-z/OS platform server, change to the install_root/bin directory
and start the iKeyman utility, which is called ikeyman.bat (Windows)
or ikeyman.sh (UNIX). The install_root variable
refers to the installation path for WebSphere Application Server.
- Within the iKeyman utility, open the server
truststore. The default server truststore is called the trust.p12 file.
The file is located in the $[USER_INSTALL_ROOT}/config/cells/<cell_name>/nodes/<node_name> directory.
The default password is WebAS.
- Extract the signer certificate from the truststore using the ikeyman utility.
Complete the following steps to extract the signer certificate:
- Select Signer certificates from the menu.
- Select root from the list.
- Select Extract.
- Select the correct data type. The signer_certificate can have
either a Base64-encoded ASCII data type or a Binary DER data type.
- Specify the fully qualified path and the file name of the certificate.
- From an FTP prompt on the non-z/OS platform server, type ascii to
change the file transfer to ascii mode.
- You can ftp the certificate to the z/OS platform either as a file
in the Hierarchical File System (HFS) or as an MVS dataset. To ftp as a dataset:,
from an FTP prompt on the non-z/OS platform server, type put 'signer_certificate'
mvs.dataset. The signer_certificate variable refers
to the name of the signer certificate on the non-z/OS platform server. The mvs.dataset variable
is the data set name to which the certificate was exported.
To ftp as
a file in the HFS from an FTP prompt on the non-z/OS platform server, type put
'signer_certificate' file_name. The signer_certificate variable
refers to the name of the signer certificate on the non-z/OS platform server.
The file_name variable is the name of the file in the HFS to which
the certificate was exported.
The RACDCERT CERTAUTH ADD command
in the next step works with a Multiple Virtual Storage (MVS) data set only.
You can either turn the certificate file into a binary MVS data set or use
the put command with an HFS file, and then use the following command to copy
the file into a MVS data set:
cp -B /u/veser/Cert/W21S01N.p12 "//'VESER.CERT.W21S01N'"
- On the z/OS platform server, go to option 6 in the Interactive
System Productivity Facility (ISPF) dialog panels and issue the following
commands as a super user to add the signer certificate to the z/OS keyring:
- Type RACDCERT CERTAUTH ADD ('signer_certificate')
WITHLABEL('Dummy Server CA') TRUST The Dummy Server
CA variable refers to the label name for the certificate authority (CA) certificate
that you are importing from a non-z/OS platform server. The keyring_name variable
refers to the name of the z/OS keyring that is used by the servers in the
cell.
- Type RACDCERT ID(ASCR1) CONNECT(CERTAUTH LABEL('Dummy
Server CA') RING(keyring_name)
- Type RACDCERT ID(DMCR1) CONNECT(CERTAUTH LABEL('Dummy
Server CA') RING(keyring_name)
- Type RACDCERT ID(DMSR1) CONNECT(CERTAUTH LABEL('Dummy
Server CA') RING(keyring_name) In the previous
commands, ASCR1, DMCR1, and DMSR1 are the RACF
IDs under which the started tasks for the cell run in WebSphere Application
Server for z/OS. The ASCR1 value is the RACF ID for the application
server control region. The DMCR1 value is the RACF ID for the deployment
manager control region. The DMSR1 value is the RACF ID for the deployment
manager server region.
Results
After completing these steps, the z/OS keyring contains the signer
certificates that originated on the non-z/OS platform server.
What to do next
To verify that the certificates were added, use option 6 on the ISPF
dialog panel and type the following command:
RACDCERT ID(CBSYMSR1) LISTRING(keyring_name)
The
CBSYMSR1 value
is the RACF ID for the application server region.
Note: Although iKeyman is
supported for WebSphere Application Server Version 6.1, customers are encouraged
to use the administrative console to export signer certificates.