You can import a signer certificate, which is also called
a certificate authority (CA) certificate, from a truststore on a non-z/OS
platform server to a z/OS® keyring.
Procedure
- On the non-z/OS platform server, change to the install_root/bin directory
and start the iKeyman utility, which is called ikeyman.bat (Windows) or ikeyman.sh (UNIX).
The install_root variable refers to the installation
path for WebSphere® Application Server.
- Within the iKeyman utility, open the server truststore.
The default server truststore is called the trust.p12 file.
The file is located in the $[USER_INSTALL_ROOT}/config/cells/<cell_name>/nodes/<node_name> directory.
The default password is WebAS.
- Extract the signer certificate from the truststore using
the ikeyman utility. Complete the following steps to extract
the signer certificate:
- Select Signer certificates from the menu.
- Select root from the list.
- Select Extract.
- Select the correct data type. The signer_certificate
can have either a Base64-encoded ASCII data type or a Binary DER data
type.
- Specify the fully qualified path and the file name of
the certificate.
- From an FTP prompt on the non-z/OS platform server, type ascii to
change the file transfer to ascii mode.
- You can ftp the certificate to the z/OS platform either
as a file in the Hierarchical File System (HFS) or as an MVS dataset.
To ftp as a dataset:, from an FTP prompt on the non-z/OS platform
server, type put 'signer_certificate' mvs.dataset.
The
signer_certificate variable
refers to the name of the signer certificate on the non-z/OS platform
server. The
mvs.dataset variable is the data set name to which
the certificate was exported.
To ftp as a file in the HFS from
an FTP prompt on the non-z/OS platform server, type put 'signer_certificate'
file_name. The signer_certificate variable refers to the
name of the signer certificate on the non-z/OS platform server. The file_name variable
is the name of the file in the HFS to which the certificate was exported.
The RACDCERT
CERTAUTH ADD command in the next step works with a Multiple Virtual
Storage (MVS) data set only. You can either turn the certificate file
into a binary MVS data set or use the put command with an HFS file,
and then use the following command to copy the file into a MVS data
set:
cp -B /u/veser/Cert/W21S01N.p12 "//'VESER.CERT.W21S01N'"
- On the z/OS platform server, go to option
6 in the Interactive System Productivity Facility (ISPF) dialog panels
and issue the following commands as a super user to add the signer
certificate to the z/OS keyring:
- Type RACDCERT CERTAUTH ADD ('signer_certificate')
WITHLABEL('WebSphere Root Certificate') TRUST .
The
WebSphere Root Certificate variable refers to the label name for the
certificate authority (CA) certificate that you are importing from
a non-z/OS platform server. The keyring_name variable refers
to the name of the z/OS keyring that is used by the
servers in the cell.
- Type RACDCERT ID(ASCR1) CONNECT(CERTAUTH LABEL('WebSphere
Root Certificate') RING(keyring_name)
- Type RACDCERT ID(DMCR1) CONNECT(CERTAUTH LABEL('WebSphere
Root Certificate') RING(keyring_name)
- Type RACDCERT ID(DMSR1) CONNECT(CERTAUTH LABEL('WebSphere
Root Certificate') RING(keyring_name)
In
the previous commands, ASCR1, DMCR1, and DMSR1 are
the RACF® IDs under which the started tasks for the
cell run in WebSphere Application Server for z/OS.
The ASCR1 value is the RACF ID
for the application server control region. The DMCR1 value
is the RACF ID for the deployment manager control region.
The DMSR1 value is the RACF ID
for the deployment manager server region.
Results
After completing these steps, the z/OS keyring
contains the signer certificates that originated on the non-z/OS platform
server.
What to do next
To verify that the certificates were added, use option 6
on the ISPF dialog panel and type the following command: RACDCERT ID(CBSYMSR1) LISTRING(keyring_name)
The
CBSYMSR1 value
is the RACF ID for the application server region.
Note: Although
iKeyman is supported for WebSphere Application Server
Version 6.1, customers are encouraged to use the administrative console
to export signer certificates.