Define RACF Keyrings and Certificates

RACDCERT ID(stcuser) ADDRING(keyringname)

where:

stcuser

RACF user id associated with the TCPIP address space

keyringname

Name of the keyring, must match the Keyring specified in the PAGENT configuration

RACDCERT ID(stcuser) GENCERT CERTAUTH SUBJECTSDN(CN('serverdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('calabel') TRUST SIZE(1024) KEYUSAGE(HANDSHAKE,DATAENCRYPT,CERTSIGN)

Note – This is the CA certificate for the STA system.

where:

stcuser

RACF user id associated with the TCPIP address space

serverdomainname

Domain name of the z/OS server (for example, MVSA.COMPANY.COM)

companyname

Organization name

unitname

Organizational unit name

country

Country

calabel

Label for certificate authority (for example, CATBISERVER)

RACDCERT ID(stcuser) GENCERT SUBJECTSDN(CN('serverdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('serverlabel') TRUST SIZE(1024) SIGNWITH(CERTAUTH LABEL('calabel'))

Note – This is the SERVER certificate.

where:

stcuser

RACF user id associated with the TCPIP address space

serverdomainname

Domain name of the z/OS server (for example, MVSA.COMPANY.COM)

companyname

Organization name

unitname

Organizational unit name

country

Country

serverlabel

Label for the server certificate (for example, TBISERVER)

calabel

Label for certificate authority, specified in the CA certificate definition

RACDCERT ID(stcuser) GENCERT SUBJECTSDN(CN('clientdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('clientlabel') TRUST SIZE(1024) SIGNWITH(CERTAUTH LABEL('calabel'))

Note – This is the CLIENT certificate.

where:

stcuser

RACF user id associated with the TCPIP address space

clientdomainname

Domain name of the STA client (for example, TBIA.COMPANY.COM)

companyname

Organization name

unitname

Organizational unit name

country

Country

clientlabel

Label for the server certificate – TBICLIENT

calabel

Label for certificate authority, specified in the CA certificate definition.

RACDCERT ID(stcuser) CONNECT(CERTAUTH LABEL('calabel') RING('keyringname') USAGE(CERTAUTH))

where:

stcuser

RACF user id associated with the TCPIP address space

calabel

Label for certificate authority, specified in the CA certificate definition

keyringname

Name of the keyring, must match the Keyring specified in the PAGENT configuration

RACDCERT ID(stcuser) CONNECT(ID(stcuser) LABEL('serverlabel') RING('keyingname') DEFAULT USEAGE(PERSONAL)

where:

stcuser

RACF user id associated with the TCPIP address space

serverlabel

Label for the server certificate

keyringname

Name of keyring, must match the Keyring specified in the PAGENT configuration

RACDCERT ID(stcuser) CONNECT(ID(stcuser) LABEL('clientlabel') RING('keyingname') USEAGE(PERSONAL)

where:

stcuser

RACF user id associated with the TCPIP address space

clientlabel

Label for the client certificate

keyringname

Name of keyring, must match the Keyring specified in the PAGENT configuration

RACDCERT EXPORT (LABEL('calabel')) CERTAUTH DSN('datasetname') FORMAT(CERTB64)

where:

calabel

Label for certificate authority, specified in the CA certificate definition

datasetname

Data set to receive the exported certificate

RACDCERT EXPORT (LABEL('clientlabel')) ID(stcuser) DSN('datasetname') FORMAT(PKCS12DER) PASSWORD(' password ')

where:

clientlabel

Label for the client certificate

stcuser

RACF user id associated with the TCPIP address space

datasetname

Data set to receive the exported certificate

password

Password for data encryption. Needed when the certificate is received on STA. The password must 8 characters or more.

The export data sets are now transmitted to STA, and FTP can be used. The CA certificate is transmitted with an EBCDIC to ASCII conversion. The CLIENT certificate is transmitted as a BINARY file and contains both the client certificate and its private key.