Why and when to perform this task
When creating Secure Sockets Layer (SSL) digital certificates and System Authorization Facility keyrings that applications can use to initiate HTTPS requests, the owner of the System Authorization Facility (SAF) keyring (and personal keys) must be the MVS user ID established by the servant region's STARTED class profile. This user ID must be the owner because these applications run in the WebSphere Application Server for z/OS servant region address. This user ID is different than the WebSphere Application Server for z/OS controller user ID.If you use keystores and trust stores in a Hierarchical File System (HFS), a file name uniquely identifies the file within the file system.
Steps for this task
RACDCERT ID(ASSR1) GENCERT SUBJECTSDN(CN('J2EE SERVER') O('Z/OS WEBSPHERE') L('POUGHKEEPSIE') SP('NEW YORK') C('US')) SIZE(512) WITHLABEL('ASSR1 SERVER CERTIFICATE') SIGNWITH(CERTAUTH LABEL('PVT CA'))
In this example, the certificate authority used to generate the unique servant region certificate is the same one used to generate the certificates for the WebSphere Application Server for z/OS servers by the customization job.
RACDCERT ADDRING(S1GRING) ID( ASSR1 )
The new keyring is owned by the servant user ID for the certificate authority certificate and the servant server certificate.RACDCERT ID(ASSR1) CONNECT (RING(S1GRING) LABEL('PVT CA') CERTAUTH)
For this example:Note that if the target of the request is another WebSphere Application Server for z/OS server, you must also import the certificate authority certificate used by the WebSphere Application Server for z/OS HTTPS repertoire (which is generally set up during customization) into your keyring if it is different than the certificate signer. If authentication using client certificates is requested, you must also import the certificate authority of your application into the HTTPS repertoire.
RACDCERT ID(ASSR1) CONNECT(ID(ASSR1) LABEL('ASSR1 SERVER CERTIFICATE') RING(S1GRING) DEFAULT)
For this example:Result
For WebSphere Application Server for z/OS, some digital certificate and keyring management is required to edit and use the sslConfig property, which is one of the user-definable ibm-webservicesclient-bnd.xmi assembly properties. For more information on the sslConfig property, refer to ibm-webservicesclient-bnd.xmi assembly properties.