1. Installation and Configuration Guide
  2. Configure External Authentication Providers
  3. Configure IBM RACF Authentication Providers
  4. Configure SSL Between STA and RACF

Configure SSL Between STA and RACF

Install the MVS security certificate on the STA server and import it into the systemwide Java keystore.

  1. Verify that the required PTFs have been installed on the MVS system. These PTFs allow for authentication with RACF or other third-party security software when you log in to the STA application. See Review IBM RACF Mainframe Minimum Requirements for details.
  2. Obtain the following files:
    • MVS server certificate, in ASCII format
    • STA client private key, in binary PKCS12 format; the MVS system administrator should give you the password to this file.
  3. Transfer the files to the STA server, and place them in the certificates directory. The directory location is as follows:

    /Oracle_storage_home/Middleware/user_projects/domains/TBI/cert

    where Oracle_storage_home is the Oracle storage home location specified during STA installation.

  4. Convert the certificate from Distinguished Encoding Rules (DER) format to Privacy Enhanced Mail (PEM) format. For example:
    $ openssl pkcs12 -clcerts -in PKCS12DR.xxxxxx -out mycert.pem

    Where:

    • pkcs12 indicates PKCS#12 data management.
    • -clcerts indicates you want to output client certifications only.
    • -in specifies the input file.
    • -out specifies the output file.

    You will be asked to enter the import password (given to you with the certificate), a new PEM password, and password verification.

  5. Change to the JRE binary directory. The directory location is as follows:

    /Oracle_storage_home/StorageTek_Tape_Analytics/jdk/jre/bin

    where Oracle_storage_home is the Oracle storage home location specified during STA installation.

    For example:

    $ cd /Oracle/StorageTek_Tape-Analytics/jdk/jre/bin
  6. Use the Java keytool utility to import the certificate file into the systemwide Java keystore. The keystore is located in the following file:

    /Oracle_storage_home/StorageTek_Tape_Analytics/jdk1.6.0_xx/jre/lib/security/cacerts

    For example:

    $ ./keytool -importcert -alias tbiServer -file mycert.pem -keystore /Oracle/StorageTek_Tape_Analytics/jdk1.6.0_75/jre/lib/security/cacerts -storetype jks

    Where:

    • -importcert indicates you want to import a certificate.
    • -alias indicates the name you want to assign to the entry in the keystore.
    • -file indicates the name of the certificate file you want to import.
    • -keystore indicates the location of the systemwide Java keystore.
    • -storetype indicates the type of keystore.