Creating new RACF certificates
Use the RACDCERT command to create and add new certificates to a key ring.
About this task
Procedure
- Create a certificate, specifying the CICS region user ID.
Enter the RACDCERT GENCERT command as follows:
Provide values for the variables. The country code for the country variable must be an ISO 3166-1 code. For a list of valid codes, see https://www.iso.org/iso-3166-country-codes.html. The value of certifier is the label of the signing certificate in the key ring.
RACDCERT ID(foruser) GENCERT SUBJECTSDN(CN('username') T ('username''s certificate') OU('department') O ('organization') L ('city') SP('state') C ('country')) NOTBEFORE(DATE(start) TIME(00:00:00)) NOTAFTER (DATE(finish) TIME(23:59:59)) SIGNWITH (CERTAUTH LABEL('certifier')) WITHLABEL('certlabel') SIZE (1024)
- Add the certificate to the key ring using the RACDCERT
CONNECT command.
- If you want to share the certificate across multiple
CICS regions, add it to the key ring specified in the KEYRING system initialization parameter
for that CICS region and specify USAGE(PERSONAL). Any CICS region that has the same region user ID and is using the same key ring can access the certificate.
RACDCERT ID(foruser) CONNECT( RING(ringname) LABEL('label') USAGE('PERSONAL'))
- If you want to add a certificate to the key ring as
the default certificate, add it to the key ring specified in the KEYRING system
initialization parameter for that CICS region and specify DEFAULT.
RACDCERT ID(foruser) CONNECT( RING(ringname) LABEL('label') DEFAULT)
When a client or server requests a certificate from CICS, the default certificate is used unless you have specified otherwise. For inbound HTTP requests, specify the certificate in the TCPIPSERVICE resource.
- If you want to share the certificate across multiple
CICS regions, add it to the key ring specified in the KEYRING system initialization parameter
for that CICS region and specify USAGE(PERSONAL).
- After running any of the RACDCERT commands that update
certificates or key rings, if the DIGTCERT and DIGTRING classes are
RACLISTed, you must issue the following command:
SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
- After you make any updates or additions to the
certificates in the key ring, issue the PERFORM SSL REBUILD command
for the CICS region. The command rebuilds the SSL environment for the CICS region and refreshes the cache of certificates with the new information from the key ring.