Configuring a z/OS client or server system  2. Create Policy Agent files

Appendix D: Setting Up Secure Sockets Layer Protocol

1. Create a key ring

The task of creating a key ring involves all steps for generating and managing digital certificates. To do so, you use RACF commands. Be sure that you have RACF authority.

NoteYou need the SPECIAL attribute to issue the RACDCERT command. (GROUP-SPECIAL is not sufficient.)

StepsTo create a key ring

  1. To activate certificate and key ring classes, use these commands:

    • SETROPTS CLASSACT(DIGTRING)

    • SETROPTS CLASSACT(DIGTCERT)

  2. To refresh after you make changes, use these commands:

    • SETROPTS RACLISt(DIGTRING) REFRESH

    • SETROPTS RACLIST(DIGTCERT) REFRESH

  3. To give access to the appropriate resources, use these commands:

    • RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)

    • RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)

    • PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY)ID(KGUEOR) ACCESS(READ)

    • PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY)ID(KGUEOR) ACCESS(READ)

    • PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY)ID(DFHCICS) ACCESS(CONTROL)

  4. To define a key ring, generate a self-signed certificate, and connect it to the key ring, use these commands:

    • RACDCERT ID(DFHCICS) ADDRING(CICSDEV1)

    • RACDCERT ID(DFHCICS) GENCERT SUBJECTSDN(CN('CICSDEV1') OU('MFI') O('MFI') C('US')) WITHLABEL ('CICSDEV1CERT') TRUST SIZE(1024)

    • RACDCERT ID(DFHCICS) CONNECT (ID(DFHCICS) RING(CICSDEV1) LABEL('CICSDEV1CE RT') DEFAULT)

    • SETROPTS RACLIST (DIGTRING DIGTCERT) REFRESH

  5. To ensure the Windows SSL client connection to the “CICSDEV1” server, export the newly-created, self-signed certificate to a data set using this command:

    RACDCERT EXPORT(LABEL('CICSDEV1CERT')) ID(DFHCICS) DSN(CICSDEV1.CERT)

    This puts the certificate contents into the PS data set called KGUEOR.CICSDEV1.CERT using the default FORMAT(CERTB64) and code page 1047.

  6. FTP the contents of that file to the Windows client's host with ASCII conversion.

  7. Paste the certificate to the client's CA list in the %sybase%\ini\trusted.txt file.

  8. Add “,ssl” to the CICSDEV1 server entry in the client's sql.ini file.

  9. To ensure that the CICS client (Client Option for CICS) connects to the SSL server named “ase1,” FTP the “ase1” certificate file from the $SYBASE/$SYBASE_ASE/certificates/ase1.txt file to the KGUEOR.ASE1CERT data set, with ASCII conversion.

  10. Add the sent FTP “ase1” CA certificate to the RACF database with a TRUST status using this command:

    RACDCERT ID(DFHCICS) ADD('KGUEOR.ASE1CERT') WITHLABEL('ASE1CERT') TRUST

  11. Connect the newly added certificate to the key ring and refresh:

    RACDCERT ID(DFHCICS) CONNECT (ID(DFHCICS) RING(CICSDEV1) LABEL('ASE1CERT'))

    SETROPTS RACLIST (DIGTRING DIGTCERT) REFRESH

NoteBe aware of certificates encoding, which is generally in binary or text formats. Binary formats must be transported in their exact binary format, without any conversion. In contrast, text formats (such as Base64) must be transported as text. When transporting for an ASCII system, be sure that the ASCII-to-EBCDIC translation is performed.




Copyright © 2007. Sybase Inc. All rights reserved. 2. Create Policy Agent files

View this document as PDF