[z/OS]

Exporting a signer certificate from WebSphere Application Server for z/OS to a truststore

You can export a signer certificate, which is also called a certificate authority (CA) certificate, from WebSphere® Application Server for z/OS® to a truststore.

Before you begin

WebSphere Application Server, WebSphere Application Server Network Deployment, or WebSphere Application Server Express® can use the certificate in the truststore.

Procedure

  1. Export the z/OS® signer certificate to a data set by issuing the following Resource Access Control Facility (RACF®) command as a super user using Time Sharing Option (TSO) option 6: 
    RACDCERT CERTAUTH EXPORT(LABEL('signer_certificate')) DSN('mvs.dataset')FORMAT(CERTDER)
    The signer_certificate variable is the RACF label name of the certificate that is used by the cell. The signer_certificate can have either a Base64-encoded ASCII data type or a Binary DER data type. The mvs.dataset variable is the data set name to which the certificate is exported. You do not need to pre-allocate this data set because it is created by RACF.
  2. From a command line on the non-z/OS platform server, type cd and change to the following directory: 
    $[USER_INSTALL_ROOT}/config/cells/<cell_name>/nodes/<node_name>
  3. From an FTP prompt on the non-z/OS platform server, type bin to change to binary mode.
  4. From an FTP prompt on the non-z/OS platform server, type the following command: 
    get 'mvs.dataset' signer_certificate
  5. On the non-z/OS platform server, change to the install_root/bin directory and start the iKeyman utility, which is called ikeyman.bat for Windows or ikeyman.sh for UNIX. Within the iKeyman utility, open the server truststore.
    The default server truststore is called the trust.p12 file. The file is located in the ${USER_INSTALL_ROOT}/config/cells/<cell_name>/nodes/<node_name>/ directory. The default password is WebAS.
  6. Add your exported signer certificate to the server truststore using the iKeyman utility. Complete the following steps to add your exported signer certificate:
    1. Select Signer certificates from the menu.
    2. Select the correct data type. The signer certificate can have either a Base64-encoded ASCII data type or a Binary DER data type.
    3. Specify the fully qualified path and file name of the signer certificate.
  7. Within the iKeyman utility, open the client truststore.
    The default client truststore is called the trust.p12 file. The file is located in the ${USER_INSTALL_ROOT}/etc/ directory. The default password is WebAS.
  8. Add your exported signer certificate to the client truststore using the iKeyman utility. Complete the following steps to add your exported signer certificate:
    1. Select Signer certificates from the menu.
    2. Select the correct data type. The signer certificate can have either a Base64-encoded ASCII data type or a Binary DER data type.
    3. Specify the fully qualified path and file name of the signer certificate.
  9. Restart the server process to use the new signer certificates.

What to do next

After completing these steps, you can use the exported signer certificates with the WebSphere Application Server, WebSphere Application Server Network Deployment, or WebSphere Application Server Express products.