Importing a signer certificate from a truststore to a z/OS keyring

You can import a signer certificate, which is also called a certificate authority (CA) certificate, from a truststore on a non-z/OS platform server to a z/OS® keyring.

1. On the non-z/OS platform server, change to the install_root/bin directory and start the iKeyman utility, which is called ikeyman.bat (Windows) or ikeyman.sh (UNIX).
   The install_root variable refers to the installation path for WebSphere® Application Server.
2. Within the iKeyman utility, open the server truststore. The default server truststore is called the trust.p12 file. The file is located in the $[USER_INSTALL_ROOT}/config/cells/<cell_name>/nodes/<node_name> directory. The default password is WebAS.
3. Extract the signer certificate from the truststore using the ikeyman utility. Complete the following steps to extract the signer certificate:
   1. Select Signer certificates from the menu.
   2. Select root from the list.
   3. Select Extract.
   4. Select the correct data type. The signer_certificate can have either a Base64-encoded ASCII data type or a Binary DER data type.
   5. Specify the fully qualified path and the file name of the certificate.
4. From an FTP prompt on the non-z/OS platform server, type ascii to change the file transfer to ascii mode.
5. You can ftp the certificate to the z/OS platform either as a file in the Hierarchical File System (HFS) or as an MVS dataset. To ftp as a dataset:, from an FTP prompt on the non-z/OS platform server, type put 'signer_certificate' mvs.dataset.
   The signer_certificate variable refers to the name of the signer certificate on the non-z/OS platform server. The mvs.dataset variable is the data set name to which the certificate was exported.

   To ftp as a file in the HFS from an FTP prompt on the non-z/OS platform server, type put 'signer_certificate' file_name. The signer_certificate variable refers to the name of the signer certificate on the non-z/OS platform server. The file_name variable is the name of the file in the HFS to which the certificate was exported.

   The RACDCERT CERTAUTH ADD command in the next step works with a Multiple Virtual Storage (MVS) data set only. You can either turn the certificate file into a binary MVS data set or use the put command with an HFS file, and then use the following command to copy the file into a MVS data set:

   cp -B /u/veser/Cert/W21S01N.p12 "//'VESER.CERT.W21S01N'"
   

6. On the z/OS platform server, go to option 6 in the Interactive System Productivity Facility (ISPF) dialog panels and issue the following commands as a super user to add the signer certificate to the z/OS keyring:
   1. Type RACDCERT CERTAUTH ADD ('signer_certificate') WITHLABEL('WebSphere Root Certificate') TRUST .
      The WebSphere Root Certificate variable refers to the label name for the certificate authority (CA) certificate that you are importing from a non-z/OS platform server. The keyring_name variable refers to the name of the z/OS keyring that is used by the servers in the cell.
   2. Type RACDCERT ID(ASCR1) CONNECT(CERTAUTH LABEL('WebSphere Root Certificate') RING(keyring_name)
   3. Type RACDCERT ID(DMCR1) CONNECT(CERTAUTH LABEL('WebSphere Root Certificate') RING(keyring_name)
   4. Type RACDCERT ID(DMSR1) CONNECT(CERTAUTH LABEL('WebSphere Root Certificate') RING(keyring_name)
      In the previous commands, ASCR1, DMCR1, and DMSR1 are the RACF® IDs under which the started tasks for the cell run in WebSphere Application Server for z/OS. The ASCR1 value is the RACF ID for the application server control region. The DMCR1 value is the RACF ID for the deployment manager control region. The DMSR1 value is the RACF ID for the deployment manager server region.

RACDCERT ID(CBSYMSR1) LISTRING(keyring_name)