WebSphere® provides the function to allow
a WebSphere administrator to perform certificate
management operations on System Authorization Facility (SAF) keyrings
by utilizing the (Open Cryptographic Services Facility) OCSF Data
library functions for SAF keyrings. This task creates new keystore
configurations and their associated keyrings.
Before you begin
The JCERACFKS keystore is used with the IBMJCE provider or
the IBMJCECCA provider. You can use the JCERACFKS keystore for certificates
and keys that are managed and stored by resource access control facility
(RACF®). The uniform resource identifier (URI)
path reference for the JCERACFKS keystore is in the form of
safkeyring:///your_keyring_name.
Attention: The JCERACFKS keystore type, is only available on
the z/OS® platform.
Important: You
must enable support for writable keyrings using the profile management
tool prior to generating the application server profiles. Writable
keyring support is only configurable when running at z/OS Release
1.9 or at z/OS Release 1.8 with APAR OA22287 - RACF (or
the APAR for your equivalent security product) and APAR OA22295 –
SAF.
About this task
Complete the following steps in the administrative console:
Procedure
- Click Security > SSL certificate and key management .
Under Configuration settings, click Manage endpoint security configurations >
{Inbound | Outbound} > ssl_configuration. Under Related
items, click Key stores and certificates. Then click the New button.
- Type a name in the Name field. This name uniquely
identifies the keystore in the configuration.
- Type the location of the keystore file in the Path field.
The URI must contain safkeyring, for example, safkeyring:///your_keyring_name.
- Type the keystore password in the Password field
as "password". To be compatible with the JCE keystore in requiring
a password, the JCERACFKS password is "password". Security for this
keystore is not really protected using a password as other keystore
types, but rather it is based on the identity of the executing thread
for protection with RACF. This password is for the
keystore file that you specified in the Path field.
- Select JCERACFKS for the Type and complete the rest of
the fields as appropriate.
- Deselect the Read only check box.
- For the control region user field, specify the control
region started task user ID (RACF ID) under which the control
region SAF keyring is created. The user ID must match the exact RACF ID
being used by the control region.
Note: This option only
applies when creating writable SAF keyrings on z/OS.
- For the servant region user field, specify the servant
region started task user ID (RACF ID) in which the servant region
SAF keyring is created. The user ID must match the exact RACF ID
being used by the servant region.
Note: This option only
applies when creating writable SAF keyrings on z/OS.
- Click OK then click Save to apply these changes
to the master configuration.
Results
A keystore is now available to configure SSL connections.
Two additional keystore objects are created that may be accessed
via the administrative console for performing certificate write operations
on the appropriate keyring. The keystore objects are named
your_keystore_name
-CR and
your_keystore_name -SR, where
your_store_name is
the name of the keystore specified on the create command.
your_keystore_name
-CR corresponds to the keyring owned by the RACF ID
of the control region process and
your_keystore_name -SR corresponds
to the keystore owned by the RACF ID of the servant region process.
These keystores are created in the same scope as
your_keystore_name and
can be accessed from the administrative console from the
your_keystore_name collection
panel.
What to do next
You can continue securing communication between the client
and server using this keystore file when setting up an SSL configuration.
Additionally, you are now able to perform certificate management
operations from the administrative console or command task framework
on the writable keystore configurations generated by this command.
RACF
keyring considerations- Certificate Deletion
- When a certificate is deleted from a RACF keyring, the certificate
is not deleted from RACF. It is only disconnected from the keyring.
The certificate can be reconnected through RACF if it is accidentally
removed from the keyring. If you want the certificate completely deleted
from RACF, it must be removed by the RACF administrator.
- Import and Export of Certificates
- During the import and export of certificates to and from managed
SAF keystores, if the certificate already exists in RACF under a different
label, then it will be connected to the keyring with the existing
label regardless of the label you assign the certificate on the import
or export command.
- Renewing Certificates
- Certificates are not physically deleted from RACF. The existing
certificate label still exists in RACF and renewing certificates will
increment the alias (label) of the certificate by appending _1, _2,
etc., to the existing certificate label.