To build a RACF key ring in the RACF database that is suitable
for use in a CICS region, you must grant access to the appropriate
profiles in the FACILITY class.
About this task
You must grant this access only to users who administer CICS
systems and not to general CICS users. The following profiles are
available:
- CONTROL
-
- IRR.DIGTCERT.GENCERT (to allow certificates to be signed by a
CERTAUTH certificate)
- IRR.DIGTCERT.ADD on first execution (to allow a CERTAUTH certificate
to be generated)
- IRR.DIGTCERT.CONNECT to connect CERTAUTH certificates for other
users
- UPDATE
-
- IRR.DIGTCERT.CONNECT (to connect CERTAUTH certificates to your
keyring).
- IRR.DIGTCERT.* (to manage certificates for other users).
- READ
- IRR.DIGTCERT.* (to manage certificates for your own user ID).
IRR.DIGTCERT.* contains the wildcard asterisk, and
is intended as a generic profile. To allow generic profiles to be
created in the FACILITY class:
Procedure
- Issue the command SETROPTS GENERIC(FACILITY).
- Issue the following command:
RDEFINE FACILITY(IRR.DIGTCERT.*)
RDEFINE FACILITY(IRR.DIGTCERT.ADD)
RDEFINE FACILITY(IRR.DIGTCERT.CONNECT)
RDEFINE FACILITY(IRR.DIGTCERT.GENCERT)
- Depending upon whether the FACILITY class is RACLISTed
or not, issue one of the following commands:
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS GENERIC(FACILITY) REFRESH
- To permit a user ID or group ringuser to
use the commands contained in DFH$RING issue the following commands:
PERMIT IRR.DIGTCERT.* CLASS(FACILITY) ID(ringuser) ACCESS(READ)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(ringuser) ACCESS(UPDATE) (for self)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(ringuser) ACCESS(CONTROL) (for another user)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(ringuser) ACCESS(CONTROL)
DFH$RING is the sample that is provided with CICS to help you
set up a suitable key ring.
- You must give the first user of DFH$RING, certauser,
authority to create a certificate authority certificate:
PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(certauser) ACCESS(CONTROL)
This certificate is then used to sign all the other certificates
created by DFH$RING.
Results
You can add certificate information for your own user ID if
you have READ access to the IRR.DIGTCERT.ADD profile in the FACILITY
class. You can add certificate information for other user IDs if you
have UPDATE access to the IRR.DIGTCERT.ADD profile in the FACILITY
class. If you have RACF SPECIAL authority you can execute RACDCERT
ADD for any user ID. You can also generate a digital certificate for
any RACF-defined user or for any certificate authority or site certificate
with SPECIAL authority