Use the RACDCERT command to create and
add new certificates to a key ring.
The certificates in the key ring must be associated with
the CICS region user ID. The key
ring must be owned by the CICS region user ID that is making use of
it.
- Create a certificate, specifying the CICS region user ID.
Enter the RACDCERT GENCERT command as follows:
RACDCERT ID(foruser) GENCERT
SUBJECTSDN(CN('username')
T ('username''s certificate')
OU('department')
O ('organization')
L ('city')
SP('state')
C ('country'))
NOTBEFORE(DATE(start) TIME(00:00:00))
NOTAFTER (DATE(finish) TIME(23:59:59))
SIGNWITH (CERTAUTH LABEL('certifier'))
WITHLABEL('certlabel')
SIZE (1024)
Provide values for the variables. The
country code for the country variable must be an
ISO 3166-1 code. For a list of valid codes, see http://www.iso.org/iso/country_codes/iso_3166_code_lists.htm. The value of certifier is
the label of the signing certificate in the key ring.
- Add the certificate to the key ring using the RACDCERT
CONNECT command.
- If you want to share the certificate across multiple
CICS regions, add it to the key ring specified in the KEYRING system
initialization parameter for that CICS region and specify USAGE(PERSONAL). Any CICS region that has the same region user ID and is using
the same key ring can access the certificate.
RACDCERT ID(foruser) CONNECT( RING(ringname) LABEL('label') USAGE('PERSONAL'))
- If you want to add a certificate to the key ring as
the default certificate, add it to the key ring specified in the KEYRING system
initialization parameter for that CICS region and specify DEFAULT.
RACDCERT ID(foruser) CONNECT( RING(ringname) LABEL('label') DEFAULT)
When a client or server requests a certificate from CICS,
the default certificate is used unless you have specified otherwise: - For inbound HTTP and IIOP requests, specify the certificate in
the TCPIPSERVICE resource definition.
- For outbound IIOP requests, specify the certificate in the CORBASERVER
resource definition.
- After running any of the RACDCERT commands that update
certificates or key rings, if the DIGTCERT and DIGTRING classes are
RACLISTed, you must issue the following command:
SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
- After you have performed a key ring update, restart the
CICS region to pick up the changes.