[z/OS]

Creating writable SAF keyrings

WebSphere® provides the function to allow a WebSphere administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by using the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task creates new keystore configurations and their associated keyrings.

Before you begin

The JCERACFKS keystore is used with the IBMJCE provider or the IBMJCECCA provider. You can use the JCERACFKS keystore for certificates and keys that are managed and stored by resource access control facility (RACF®). The uniform resource identifier (URI) path reference for the JCERACFKS keystore is in the form of safkeyring:///your_keyring_name.
Attention: The JCERACFKS keystore type, is only available on the z/OS® platform.
Important: You must enable support for writable keyrings using the profile management tool prior to generating the application server profiles. Writable keyring support is only configurable when running at z/OS Release 1.9 or at z/OS Release 1.8 with APAR OA22287 - RACF (or the APAR for your equivalent security product) and APAR OA22295 – SAF.

About this task

Complete the following steps in the administrative console:

Procedure

  1. Click Security > SSL certificate and key management . Under Configuration settings, click Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration. Under Related items, click Key stores and certificates. Then click the New button.
  2. Type a name in the Name field. This name uniquely identifies the keystore in the configuration.
  3. Type the location of the keystore file in the Path field. The URI must contain safkeyring, for example, safkeyring:///your_keyring_name.
  4. Type the keystore password in the Password field as "password". To be compatible with the JCE keystore in requiring a password, the JCERACFKS password is "password". Security for this keystore is not really protected using a password as other keystore types, but rather it is based on the identity of the executing thread for protection with RACF. This password is for the keystore file that you specified in the Path field.
  5. Select JCERACFKS for the Type and complete the rest of the fields as appropriate.
  6. Deselect the Read only check box.
  7. For the control region user field, specify the control region started task user ID (RACF ID) under which the control region SAF keyring is created. The user ID must match the exact RACF ID being used by the control region.
    Note: This option only applies when creating writable SAF keyrings on z/OS.
  8. For the servant region user field, specify the servant region started task user ID (RACF ID) in which the servant region SAF keyring is created. The user ID must match the exact RACF ID being used by the servant region.
    Note: This option only applies when creating writable SAF keyrings on z/OS.
  9. Click OK then click Save to apply these changes to the master configuration.

Results

A keystore is now available to configure SSL connections. Two additional keystore objects are created that may be accessed via the administrative console for performing certificate write operations on the appropriate keyring. The keystore objects are named your_keystore_name -CR and your_keystore_name -SR, where your_store_name is the name of the keystore specified on the create command. your_keystore_name -CR corresponds to the keyring owned by the RACF ID of the control region process and your_keystore_name -SR corresponds to the keystore owned by the RACF ID of the servant region process. These keystores are created in the same scope as your_keystore_name and can be accessed from the administrative console from the your_keystore_name collection panel.

What to do next

You can continue securing communication between the client and server using this keystore file when setting up an SSL configuration. Additionally, you are now able to perform certificate management operations from the administrative console or command task framework on the writable keystore configurations generated by this command.
RACF keyring considerations
Certificate Deletion
When a certificate is deleted from a RACF keyring, the certificate is not deleted from RACF. It is only disconnected from the keyring. The certificate can be reconnected through RACF if it is accidentally removed from the keyring. If you want the certificate completely deleted from RACF, it must be removed by the RACF administrator.
Import and Export of Certificates
During the import and export of certificates to and from managed SAF keystores, if the certificate already exists in RACF under a different label, then it will be connected to the keyring with the existing label regardless of the label you assign the certificate on the import or export command.
Renewing Certificates
Certificates are not physically deleted from RACF. The existing certificate label still exists in RACF and renewing certificates will increment the alias (label) of the certificate by appending _1, _2, etc., to the existing certificate label.