Configuring a RACF site certificate for use with CICS TS
If you want to enable SSL in your CICS® Transaction Server for z/OS® regions, but you do not want to define separate SSL Certificates for each region, you can use a site certificate.
Procedure
The key ring must be completely configured, that is, it must contain not only the certificate pointed to by your TCPIPSERVICE RDO definition, but also every certificate that was used to sign that certificate. These signing certificates must be in the KEYRING with USAGE=CERTAUTH.
The following figure shows an example of a completely configured key ring as
listed by the RACF command:
RACDCERT ID(ring_owner)
LISTRING(ring_name)
Ring: ring_name Certificate Label Name Cert Owner USAGE DEFAULT -------------------------------- ----------- -------- ------- Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO IBM World Registry CA CERTAUTH CERTAUTH NO CICS-Sample-Certification CERTAUTH CERTAUTH NO Verisign Class 2 Primary CA CERTAUTH CERTAUTH NO SITECERT SITE PERSONAL YES
The certificate that you want to use as a site certificate (SITECERT) must be owned by SITE and have a usage of PERSONAL. This certificate is the one used by any TCPIPSERVICE definition that needs SSL encryption.
The key ring must be owned by the CICS region user ID. If multiple CICS regions use the same region user ID, they can share the same key ring. If they run under different region user IDs, then you must build separate key rings. However, you can use the same site certificate in each ring.
The site certificate must have a private key or the TCPIPSERVICE will either fail to install or will fail when an attempt is made to use it.
The CICS region user ID must have CONTROL access or greater to the profile IRR.DIGTCERT.GENCERT in the FACILITY class.
For more information, see the sections RACF Callable Services Authorization and RACF Callable Services Usage Notes in z/OS Security Server RACF Callable Services.