IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Creating a RACF key ring

To create a RACF® key ring, you must first generate a RACF CA certificate and a personal certificate for IBM® Integration Bus, then connect the certificates to the key ring.

Each RACF key ring has its own name up to 237 characters long and is associated with a user ID. A RACF key ring is connected to a set of personal certificates and trusted certificates that are stored in the RACF database. The RACF command RACDCERT is used to create and delete key rings and to connect or disconnect certificates to the key rings. RACF key rings are also called System Authorization Facility (SAF) key rings. SAF is an open standard to access security services.

To create a RACF key ring to be used by AT-TLS on behalf of IBM Integration Bus, complete the following steps.

  1. Generate a RACF certificate authority (CA) certificate.
    You can use RACF as a CA to generate and sign personal certificates for their internal systems or applications. This certificate must be created once, and it is used to sign every personal certificate that is generated by RACF. The following example shows how to use a RACF command to generate a RACF CA certificate.
    RACDCERT CERTAUTH GENCERT +                          
  SUBJECTSDN(CN('MQRootCA') +                        
  OU('ISSW') +                                       
  O('IBM') +                                         
  L('HURSLEY') SP('WINCHESTER') C('GB')) +           
  KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN CERTSIGN) + 
  WITHLABEL('MQRootCA') +                            
  NOTAFTER(DATE(2020/01/30)) +                       
  SIZE(1024)
  2. Generate a personal certificate for IBM Integration Bus.
    This certificate identifies a specific instance of IBM Integration Bus. This certificate is presented to the partner application during the SSL handshake. This certificate must be associated with the user ID under which IBM Integration Bus is running. The following example shows how to use a RACF command to generate the personal certificate for a broker called WI02BRK that is running under user ID WI02USR.
    RACDCERT ID(WI02USR) +                         
   GENCERT SUBJECTSDN(CN('WI02BRK') +          
   OU('ISSW') O('IBM') +                       
   L('HURSLEY') SP('WINCHESTER') C('GB')) +    
   WITHLABEL('WI02BRK') SIZE(1024) +           
   SIGNWITH(CERTAUTH LABEL('MQRootCA')) +      
   KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) +   
   NOTAFTER(DATE(2012/01/30))
  3. Create a RACF key ring and connect the certificates to the key ring.
    The RACF key ring must be associated with a user ID (in this case, the IBM Integration Bus user ID). The key ring must have a name (in this case, the same name as the broker), and the IBM Integration Bus personal certificate must be connected to the key ring. The following example shows how to use a RACF command to create a key ring and connect the IBM Integration Bus personal certificate.
    RACDCERT ID(WI02USR) ADDRING(WI02BRK)                
RACDCERT ID(WI02USR) +                               
 CONNECT(ID(WI02USR) LABEL('WI02BRK') RING(WI02BRK)) 
RACDCERT ID(WI02USR) LISTRING(WI02BRK)
    For RACF to validate a partner application certificate, you must import the signer certificate of the CA that generated and signed the personal certificate of the partner application. Typically, this certificate is extracted from the partner application keystore, transferred to z/OS® as a data set (WI02USR.VSR1BK.DER), imported to RACF, and connected to the RACF key ring as signer (trusted) certificate. The following example shows how to use a RACF command to add a signer certificate to RACF and connect it to the RACF key ring.
    RACDCERT CERTAUTH ADD('WI02USR.VSR1BK.DER') +   
WITHLABEL('VSR1BK') TRUST                       
RACDCERT CERTAUTH LIST(LABEL('VSR1BK')          
RACDCERT ID(WI02USR) +                            
 CONNECT(CERTAUTH LABEL('VSR1BK') RING(WI02BRK))
RACDCERT ID(WI02USR) LISTRING(WI02BRK)
Next: Configure and activate the policy agent by following the instructions in Configuring and activating the policy agent (PAGENT).
Parent topic: Enabling SSL on z/OS IBM Integration Bus by using AT-TLS
Related concepts:
Application Transparent Transport Layer Security
Related tasks:
Enabling SSL on z/OS IBM Integration Bus by using AT-TLS
Configuring and activating the policy agent (PAGENT)
Defining and installing AT-TLS policies
Testing and verifying AT-TLS
Diagnosing problems with PAGENT and AT-TLS
bp22790_.htm | Last updated Friday, 21 July 2017