z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using RACF to obtain a certificate for the Web server

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

The IBM HTTP Server supports using either gskkyman key databases (.kdb files) or RACF® (SAF) key rings for the server's certificate store. You are expected to use SAF key rings if setting up their Web server for the first time.
Note: If you have already set up your Web server using gskkyman, you can continue to use it.

Use RACDCERT to generate the server certificate signed by the new Certificate Authority.

Example:
RACDCERT GENCERT ID(WEBSRV) SIGNWITH(CERTAUTH LABEL('Local PKI CA')) 
   WITHLABEL('SSL Cert') SUBJECTSDN(CN('www.YourCompany.com') O('Your Company Inc') 
   L('Millbrook') SP('New York') C('US'))

The Web server needs a key ring containing its new certificate and any trusted CA certificate. The RACDCERT command with operands ADDRING and CONNECT also sets this up. For example, the RACDCERT commands to create a key ring called SSLring for user ID WEBSRV and to connect the Web server and CA certificates to it are:

Example:
RACDCERT ADDRING(SSLring) ID(websrv) 
RACDCERT ID(websrv) CONNECT(CERTAUTH LABEL('Local PKI CA')) RING(SSLring) 
   USAGE(PERSONAL) DEFAULT) 
RACDCERT ID(websrv) CONNECT(ID(websrv) LABEL('SSL Cert') RING(SSLring)
   USAGE(PERSONAL) DEFAULT)

Export the CA certificate to an MVS™ data set. Then OPUT it to an file system file so that it can be made available to your clients.

Example:
RACDCERT EXPORT(LABEL(''Local PKI CA')) 
   CERTAUTH DSN('pkisrvd.webroot.derbin') FORMAT(CERTDER)
Parent topic: Actions IKYSETUP performs by issuing RACF commands

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014