You can use RACF to request a signing certificate (certificate
authority certificate) from a certificate authority such as Verisign.
Use an external certificate to authenticate your server to clients
that cannot recognize RACF certificates.
You must have authorization to use the RACDCERT command.
This command installs and maintains digital certificates, key rings,
and digital certificate mappings in RACF.
- Create a self-signed certificate in RACF as a placeholder:
RACDCERT ID(foruser) GENCERT,
SUBJECTSDN(CN('username')
T ('username''s certificate')
OU('department')
O ('organization')
L ('city')
SP('state')
C ('country'))
NOTBEFORE(DATE(start) TIME(00:00:00))
NOTAFTER (DATE(finish) TIME(23:59:59))
WITHLABEL(self-signed-certlabel)
SIZE (1024)
- Generate a certificate request, based on the placeholder
certificate, to send to your external certificate authority. Use the RACDCERT
GENREQ command:
RACDCERT ID(cics-region-userid) GENREQ(LABEL('label'))
DSN('request.dataset')
where label is
the placeholder self-signed certificate. RACF
saves the certificate request in the data set specified in the DSN parameter.
- Send the certificate request to the certificate authority,
using a method that the certificate authority accepts.
- When you receive the certificate, save it in a new data
set.
- Optional: If you are using a certificate authority
that is not one of the default certificate authorities, for which
certificates are already stored in the key database, you must import
the certificate authority's certificate into your RACF database. See Importing a certificate from a file as a trusted
CA certificate in the z/OS information center.
- Replace the self-signed certificate with your new CA-signed
certificate:
RACDCERT ID(cics-region-userid) ADD('response.dataset') TRUST
Create the key ring in the RACF database and add your CA-signed
certificate.