Step 2: Define profiles to control access to the RACDCERT command

Before you begin

The RACF® database provides digital certificate and key ring support through the RACDCERT command. The administrator who is responsible for managing the RACF key ring for the IKED needs appropriate access to this command.

Procedure

Perform the following steps to define profiles to control access to this command:

  1. If they are not already defined, create the definitions that are required to control access to the basic RACDCERT actions by issuing the following TSO commands: 
    RDEFINE FACILITY IRR.DIGTCERT.ADD UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.ADDRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.CONNECT UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.GENREQ UACC(NONE)
  2. Issue the following TSO commands (where userid is the ID of the person who will be executing the RACDCERT command to manage digital certificates): 
    PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(userid) ACC(UPDATE)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.GENREQ CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACC(UPDATE)
  3. Refresh the FACILITY class: 
    SETROPTS RACLIST(FACILITY) REFRESH
Parent topic: Steps for setting up the IKE daemon for digital signature authentication when the native certificate service is used