Creating and configuring digital certificates in RACF

Creating and configuring digital certificates in RACF

Overview

Appropriate digital certificates are required to be able to use SSL/TLS.

Managing certificates

There are numerous ways to create and manage digital certificates and their related key pairs. Under z/OS, this includes the following options:

  • z/OS Security Server RACF (and other SAF-compliant external security managers)
  • The gskkyman tool that is included with System SSL
  • z/OS Cryptographic Services PKI Services

In our example, we will use z/OS Security Server RACF.

Required actions

Following is a summary of the required actions:

  1. Authorize the BSA TCP/IP server started task (for example BETA02W) to work with digital certificates.
  2. Define a digital certificate together with a digital key ring. You can use a self-defining certificate or a CA-certificate.
  3. Place the certificate into a dataset, transfer the dataset via ftp to the client PC, and then make the certificate available to the appropriate application on the PC (for example, Web Enabler). Transfer with ASCII conversion if the certificate is base64 encoded, otherwise transfer in binary mode.

The required commands can be found in a sample job in member TTLSCERT in the BETA.SAMPLIB.

You can also use the more detailed instructions for BSA CI as a model (see "Defining SSL authentication security").

Note

Create the certificates etc. on the Unix/Windows server and make them available to the user ID of the z/OS client if the z/OS client is to open a TLS connection to the Unix/Windows server.