Using RACF key rings

The key rings that CICS® Transaction Gateway uses when establishing secure SSL connections are stored in RACF®. This provides an alternative to Java™ keystore (.jks) files stored in the ZFS (a USS filesystem).

Creating and maintaining key rings

The key ring must contain a personal certificate and the certificate authority certificate used to sign it. The key ring must be accessible by the user ID under which the Gateway daemon is running.

To create and maintain RACF key rings, you can either use the RACDCERT native command or the DIGITAL CERTIFICATES AND KEY RINGS panels found under the main RACF service options panel in ISPF.

For information on creating certificates and key rings in RACF, see the z/OS® Security Server RACF Security Administrator's Guide.

Exporting certificates

The key ring that CICS Transaction Gateway uses must contain the personal certificate with its private key connected as a personal certificate. It must also contain the Certificate Authority certificate used to sign the personal certificate, attached as a CERTAUTH certificate. The use of certificates connected as SITE is not supported.

You export the personal certificate to the client keystore using FTP:

  • If you export as FORMAT(CERTB64), you must FTP the file in ASCII format.
  • If you export the certificate as FORMAT(CERTDER), you must FTP the file in binary format.

Defining key rings in the configuration file

To set the RACF key ring in the configuration file:
  • Define the keyring entry as the name of the RACF key ring (omitting the keyringpw entry).
  • Define the esmkeyring parameter. esmkeyring is specified in the PRODUCT section of the ctg.ini file.

For more information see SSL protocol parameters.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tgzos_latest/help/topic/com.ibm.cics.tg.zos.doc//ctgzos/c3a5ctemp5cracf.html