Complete these steps for RACF® to
authorize the server to use digital certificates. SSL uses digital
certificates and public and private keys.
Before you begin
You must request a certificate authority (CA) certificate
and a signed certificate for your server. If you plan to implement
Secure Sockets Layer (SSL) client certificate support, you must also
have certificate authority certificates from each certificate authority
that verifies your client certificates. You must have a user ID with
the authority to use the RACDCERT command in the Resource Access Control
Facility (RACF) (for example, SPECIAL authority).
About this task
If your application server uses SSL, you must use RACF to
store digital certificates, and you must use public and private keys
for the user identities under which the server controllers run.
Procedure
- For each server that uses SSL, create a key ring for the
controller user ID of that server.
Example: Your
controller is associated with the user ID called ASCR1. Issue the
following command:
RACDCERT ADDRING(ACRRING) ID(ASCR1)
- Receive the certificate for your application server from
the certificate authority.
Example: You requested
that a certificate and the certificate authority returned the signed
certificate to you, which you stored in a file called ASCR1.CA. Issue
the following command:
RACDCERT ID (ASCR1) ADD('ASCR1.CA') WITHLABEL('ACRCERT') PASSWORD('password')
- Connect the signed certificate to the controller user ID's
key ring and make the certificate the default certificate.
Example:
Connect the certificate that is labeled ACRCERT to the key ring ACRRING
owned by ASCR1. Issue the following command:
RACDCERT ID(ASCR1) CONNECT (ID(ASCR1) LABEL('ACRCERT') RING(ACRRING) DEFAULT)
- If you plan to have the server authenticate clients (SSL
client certificate support), complete the following steps:
- Receive each certificate authority (CA) certificate
that verifies your client certificates.
Example:
Receive the CA certificate that verifies a client with user ID CLIENT1.
That certificate is in a file called USER.CLIENT1.CA. Issue the following
command:
RACDCERT ADD('USER.CLIENT1.CA') WITHLABEL('CLIENT1 CA') CERTAUTH
- Give each CA certificate the CERTAUTH attribute.
Connect each client's certificate authority (CA) certificate
to the controller user ID's key ring.
Example: Connect
the CLIENT1 CA certificate to the ring ACRRING owned by ASCR1.
RACDCERT ID(ASCR1) CONNECT(CERTAUTH LABEL('CLIENT1 CA') RING(ACRRING))
- Give read access for IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING
in the RACF FACILITY class to the controller user ID.
Example: Your controller user ID is ASCR1. Issue:
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(ASCR1) ACC(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(ASCR1) ACC(READ)
What to do next
You are done with the RACF phase
when the RACF commands succeed.