You can export a signer certificate, which is also called
a certificate authority (CA) certificate, from WebSphere® Application Server for z/OS® to
a truststore.
Before you begin
WebSphere Application Server, WebSphere Application Server Network Deployment, or WebSphere Application Server Express® can use the
certificate in the truststore.
Procedure
- Export the z/OS® signer certificate to a data set by issuing
the following Resource Access Control Facility (RACF®)
command as a super user using Time Sharing Option (TSO) option 6:
RACDCERT CERTAUTH EXPORT(LABEL('signer_certificate')) DSN('mvs.dataset')FORMAT(CERTDER)
The
signer_certificate variable
is the RACF label name of the certificate that is used
by the cell. The
signer_certificate can have either a Base64-encoded
ASCII data type or a Binary DER data type. The
mvs.dataset variable
is the data set name to which the certificate is exported. You do
not need to pre-allocate this data set because it is created by RACF.
- From a command line on the non-z/OS platform server, type cd and
change to the following directory:
$[USER_INSTALL_ROOT}/config/cells/<cell_name>/nodes/<node_name>
- From an FTP prompt on the non-z/OS platform server, type bin to
change to binary mode.
- From an FTP prompt on the non-z/OS platform server, type
the following command:
get 'mvs.dataset' signer_certificate
- On the non-z/OS platform server, change to the install_root/bin directory
and start the iKeyman utility, which is called ikeyman.bat for Windows or ikeyman.sh for UNIX.
Within the iKeyman utility, open the server truststore.
The
default server truststore is called the trust.p12 file. The
file is located in the ${USER_INSTALL_ROOT}/config/cells/<cell_name>/nodes/<node_name>/ directory.
The default password is WebAS.
- Add your exported signer certificate to the server truststore
using the iKeyman utility. Complete the following steps to add your
exported signer certificate:
- Select Signer certificates from the menu.
- Select the correct data type. The signer certificate
can have either a Base64-encoded ASCII data type or a Binary DER data
type.
- Specify the fully qualified path and file name of the
signer certificate.
- Within the iKeyman utility, open the client truststore.
The default client truststore is called the trust.p12 file.
The file is located in the ${USER_INSTALL_ROOT}/etc/ directory. The
default password is WebAS.
- Add your exported signer certificate to the client truststore
using the iKeyman utility. Complete the following steps to add your
exported signer certificate:
- Select Signer certificates from the menu.
- Select the correct data type. The signer certificate
can have either a Base64-encoded ASCII data type or a Binary DER data
type.
- Specify the fully qualified path and file name of the
signer certificate.
- Restart the server process to use the new signer certificates.
What to do next
After completing these steps, you can use the exported signer
certificates with the WebSphere Application Server, WebSphere Application Server Network Deployment, or WebSphere Application Server Express products.