Using RACF to obtain a certificate for the web server
The IBM® HTTP Server supports using
either gskkyman key databases (.kdb files) or RACF® (SAF) key rings for the server's
certificate store. You are expected to use SAF key rings if setting
up their web server for the first time.
Note: If you have already set
up your web server using gskkyman, you can continue to use it.
Use RACDCERT to generate the server certificate signed by the new Certificate Authority.
Example:
RACDCERT GENCERT ID(WEBSRV) SIGNWITH(CERTAUTH LABEL('Local PKI CA'))
WITHLABEL('SSL Cert') SUBJECTSDN(CN('www.YourCompany.com') O('Your Company Inc')
L('Millbrook') SP('New York') C('US'))
The web server needs a key ring containing its new certificate and any trusted CA certificate. The RACDCERT command with operands ADDRING and CONNECT also sets this up. For example, the RACDCERT commands to create a key ring that is called SSLring for user ID WEBSRV and to connect the web server and CA certificates to it are:
Example:
RACDCERT ADDRING(SSLring) ID(websrv)
RACDCERT ID(websrv) CONNECT(CERTAUTH LABEL('Local PKI CA')) RING(SSLring)
USAGE(PERSONAL) DEFAULT)
RACDCERT ID(websrv) CONNECT(ID(websrv) LABEL('SSL Cert') RING(SSLring)
USAGE(PERSONAL) DEFAULT)
Export the CA certificate to an MVS™ data set. Then OPUT it to a file system file so that it can be made available to your clients.
Example:
RACDCERT EXPORT(LABEL(''Local PKI CA'))
CERTAUTH DSN('pkisrvd.webroot.derbin') FORMAT(CERTDER)