To complete this task you use RACF® commands to create a CA certificate, a signed personal certificate, and a keyring on the CICS server.
You perform this task by issuing ISPF RACDCERT (RACF digital certificate) commands. You use RACDCERT commands to create and maintain digital certificates, and create the keyrings that are the repositories for digital certificates.
RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU('CTG TEST') O('IBM') T('CTG CA CERT') C('GB'))
KEYUSAGE(CERTSIGN) WITHLABEL('CTG CA CERT')
SETR RACLIST(DIGTCERT) REFRESH
RACF now displays a list of the selected classes; check that the list contains the DIGTCERT class that you have just created.
RACDCERT CERTAUTH LIST(LABEL('CTG CA CERT'))
RACDCERT ID(CTGUSER) GENCERT SUBJECTSDN(OU('CTG TEST') O('IBM') T('CTG PERSONAL CERT') C('GB'))
WITHLABEL('CTG PERSONAL CERT') SIGNWITH(CERTAUTH LABEL('CTG CA CERT'))
CTGUSER must be a valid RACF user
ID.SETR RACLIST(DIGTCERT) REFRESH
RACDCERT ADDRING(CTGSERVERKEYRING) ID(CTGUSER)
RACDCERT ID(CTGUSER) CONNECT(CERTAUTH LABEL('CTG CA CERT') RING(CTGSERVERKEYRING)
USAGE(CERTAUTH))
RACDCERT ID(CTGUSER) CONNECT(LABEL('CTG PERSONAL CERT') RING(CTGSERVERKEYRING)
DEFAULT USAGE(PERSONAL))
RACDCERT LISTRING(CTGSERVERKEYRING) ID(CTGUSER)
Here
is an example of the output generated by this command:Ring:
>CTGSERVERKEYRING<
Certificate Label Name Cert Owner USAGE DEFAULT
---------------------------------- ----------- ----- -------
CTG CA CERT CERTAUTH CERTAUTH NO
CTG PERSONAL CERT ID(CTGUSER) PERSONAL YES
RACDCERT ID(CTGUSER) EXPORT(LABEL('CTG PERSONAL CERT')) DSN('CTGUSER.PERSONAL.CERT')
FORMAT(CERTB64)
FORMAT(CERTB64)
specifies that the certificate is stored in ASCII format. You have now configured SSL server authentication on the CICS server.