To complete this task you use iKeyman to create and export the client certificate, FTP to transfer the certificate file to the server, and a RACDCERT (RACF® digital certificate) command to import the certificate into the RACF keyring.
iKeyman is installed in:
SSL client authentication provides extra security between the client and the CICS® server. SSL client authentication builds on the security provided by SSL server authentication. SSL client authentication requires that the client keyring contains a self-signed certificate that is used to identify the connecting client.
The iKeyman tool now generates a public/private key pair.
The self-signed client certificate appears in the Personal Certificates window. The certificate has the name that you entered in the Key label field, in this example exampleclientcert.
The exported certificate is a signer certificate generated from the personal certificate in the keyring, it does not contain the private key. Import the keyring into the keyring of all servers that need to communicate with the SSL client. The server uses the certificate to verify the identity of the client.
ftp winmvs2g
Connected to server.company.com
User (server.company.com:(none)): name
331 Send password please. Password: xxx name is logged on.
Working directory is "/u/directory".
ftp> asc
Representation type is Ascii NonPrint
ftp> quote site recfm=vb
SITE command was accepted
ftp> put exampleclientcert.arm 'CTGUSER.CLIENT.CERT.ARM'
Port request OK. 125 Sending data set 'CTGUSER.CLIENT.CERT.ARM'
Transfer completed successfully.
ftp> quit
RACDCERT ID(CTGUSER) ADD('CTGUSER.CLIENT.CERT.ARM') WITHLABEL('CLIENT.CERT') TRUST
The command returns a message confirming that the certificate has been added with TRUST status and that the class needs to be refreshed:
Certificate Authority not defined to RACF. Certificate added with TRUST status
SETR RACLIST(DIGTCERT) REFRESH
RACDCERT ID(CTGUSER) CONNECT(LABEL('CLIENT.CERT') RING(CTGSERVERKEYRING) USAGE(CERTAUTH))
The new signer certificate is added to the list in the Signer Certificates view, and can be used by the server to verify the identity of the client application.
You have now configured SSL client authentication.