![[z/OS]](../images/ngzos.gif)
RACF keyring setup
Using Java to create a RACFInputStream for a RACF keystore
During the SSL authentication process, WebSphere® Application Server considers a certificate that connects as a PERSONAL certificate as a KeyEntry. You can use the certificate as an end-user certificate in a Secure Sockets Layer (SSL) handshake because the private key is available.
WebSphere Application Server considers a certificate that connects as a CERTAUTH certificate as a TrustedCertEntry and treats the certificate as a Certificate Authority (CA). Keyrings require certificates that connect as PERSONAL and CA certificates that connect as CERTAUTH. Certificates that connect as SITE are not supported in this release.
Certificate Label Name Cert Owner USAGE DEFAULT
---------------------- ---------- -------- -------
PersonalEndUserCert ID(USERID) PERSONAL YES
PersonalEndUserCACert CERTAUTH CERTAUTH NO
security.provider.X=com.ibm.security.cert.IBMCertPath
If one of the RACF certificates fails to load, the keystore is not loaded. You must remove any unwanted certificates from the keyring.
The RACFInputStream contains three parameters:- userid - a string containing the ID of the user that owns the keyring
- ringid - a string containing the name of the RACF key ring
- password - a character array containing the password for the keystore
import com.ibm.crypto.provider.RACFInputStream;
String ksfname;
char[] storePass = null;
RACFInputStream riStream = new RACFInputStream(System.getProperty("user.name"),
ksfname,
storePass);
KeyStore racfKeyStore = KeyStore.getInstance("JCERACFKS");
racfKeyStore.load(riStream, storePass);
riStream.close();
In the previous example, the system property user.name is
referenced to provide the userID that WebSphere Application Server passes to RACF. This example is not typical. For more information about running the RACFInputStream script, see the document z/OS Unique Considerations for the Java 2 SDK, Standard Edition, v 6.0. A link to this z/OS® document is provided in the Related Links section of this topic.
Accessing a RACFInputStream using URLStreamHandler
In this release, you can access data through user-defined classes with the URLStreamHandler object. WebSphere Application Server can define the classes that access the data with the system property java.protocol.handler.pkgs. To access data that resides in a Service Authorization Facility (SAF) RACF keyring, use the safkeyring URL with the associated classes.-Djava.protocol.handler.pkgs
If
you are using the IBM® Java Cryptography Extension (IBMJCE)
provider to provide cryptographic support, set the property to the
following value:-Djava.protocol.handler.pkgs=com.ibm.crypto.provider
If
you are using the IBMJCE4758 provider to provide cryptographic support,
set the property to the following value:-Djava.protocol.handler.pkgs=com.ibm.crypto.hdwrCCA.provider
You
can use a URL to specify a stream handler in the java.policy file.
The jarsigner utility also accepts a URL for the -keystore parameter.
When certificates from a RACF keyring
verify signed jar files, you can specify that WebSphere Application Server must use the
keyring as an input stream to the keystore in the java.policy file,
as shown in the following example code: keystore "safkeyring://myracfid/my_key_ring", " JCERACFKS";
In
this example, - safkeyring is the URL keyword that the server uses to access the URLStreamHandler code to read data from the keyring
- myracfid is the RACF userid that has authority to read data from the keyring
- my_key_ring is the name of the keyring from which the data is read
- JCERACFKS is the keystore type defined for a SAF (RACF) keyring keystore
jarsigner -keystore safkeyring://myracfid/my_key_ring -signedjar
ibmjceproviders.jar ibmjceprovider.jar ibmprovider -storetype JCERACFKS
- z/OS SecureWay Security Server RACF Security Administrator's Guide - SA22-7683
- z/OS SecureWay Security Server RACF Command Language Reference - SA22-7687