The IKE daemon and NSS server require the ability to retrieve
digital certificates associated with a particular identity from a RACF® key ring, and to perform operations
with the associated private key.
Before you begin
The certificate that is assigned to the secure server is a
locally-signed certificate rather than one signed by a certificate
authority. Assume that the local certificate authority has the distinguished
name of
OU='Local Certificate Authority',O=IBM,C=US.
Requirement: If you are creating a certificate
for a stack configured to use the certificate service from an NSS
server, issue these commands against the RACF database for the system on which the NSS
server runs. The user ID in the examples must be the user ID running
the NSS server and the key ring must be the key ring configured in
the NSS server's configuration file.
Procedure
Perform the following steps to implement a locally signed
server certificate:
- Generate a self-signed certificate to represent the local
certificate authority:
RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU('Local Certificate Authority') O('IBM') C('US'))
KEYUSAGE(CERTSIGN) WITHLABEL('IBM Local Certificate Authority')
This
certificate is used as the certificate authority certificate.
- Export the certificate to a data set (in this case, USER1.LOCCERTA.CERT):
RACDCERT CERTAUTH EXPORT(LABEL('IBM Local Certificate Authority')) DSN('USER1.LOCCERTA.CERT')
- Create a certificate for the server that is signed with
the certificate authority certificate that was created in step 1:
RACDCERT ID(IKED) GENCERT SUBJECTSDN(CN('SYSTEMA STACK1') OU('Inventory') O('IBM') C('US'))
WITHLABEL('SYSTEMA STACK1') ALTNAME(DOMAIN('ibm.com'))
SIGNWITH(CERTAUTH LABEL('IBM Local Certificate Authority'))
- Connect the certificate to an existing key ring:
RACDCERT ID(IKED) CONNECT(LABEL('SYSTEMA STACK1') RING(ikeyring) USAGE(PERSONAL))
- Connect the local certificate authority certificate to
the key ring:
RACDCERT ID(IKED) CONNECT(CERTAUTH LABEL('IBM Local Certificate Authority') RING(ikeyring) USAGE(CERTAUTH))
This
completes the certificate hierarchy from root to SYSTEMA STACK1.
- Add the following statement to the IKE daemon configuration
file, iked.conf, or the NSS server configuration file, nssd.conf:
Keyring IKED/ikeyring
Results
You know you are done when the X509 digital certificate is
available, and is mapped to the X500DN identity
CN=SYSTEMA
STACK1,OU=Inventory,O=IBM,C=US from the certificate's subject
name, and the FQDN identity
ibm.com from the certificate's
alternate subject name.
You can verify that the certificates that
you have created are connected to the key ring associated with user
ID IKED by using the RACDCERT command and examining the output of
the Ring Associations field. Verify that the certificate
authority was created and added to the IKED/ikeyring as
follows:
RACDCERT CERTAUTH LIST(LABEL('IBM Local Certificate Authority'))
Verify
that the personal certificate for the IKE daemon was created and added
to the IKED/ikeyring as follows:
RACDCERT ID(IKED) LIST(LABEL('SYSTEMA STACK1'))
Requirement: If the certificates connected
to the key ring are for an NSS client, you must create a SERVAUTH
profile for each certificate. You must give the user ID associated
with the NSS client access to this profile. Create this profile in
the RACF database for the system
on which the NSS server runs. For details about these profiles, see
Steps for authorizing resources for NSS.