Create the certificates and key rings

This section documents the steps required to create the certificates and key rings necessary for z/OS users of Advanced Message Security (AMS), using a RACF Certificate Authority (CA).

Resolving problems with certificates when using Advanced Message Security on z/OS

If we are having problems with certificates and missing entries in key stores we can enable a GSKIT trace.

In the file referenced by the ENVARS DD in the AMS started task procedure, add:

GSK_TRACE_FILE=/u/... /gsktrace        
GSK_TRACE=0xff

See Environment variables in z/OS Cryptographic Services System SSL Programming for more information.

For every access to the keystore, data is written to the trace file specified in GSK_TRACE_FILE.

To format the trace file use the command:

gsktrace inputtrace file > output_file

Scenario

A scenario of a sending application and a receiving application is used to explain the required steps.

In the examples that follow, user1 is the originator of a message and user2 is the recipient. The user ID of the Advanced Message Security address space is WMQAMSD.

All of the commands in the examples shown here are issued from ISPF option 6 by the administrative user ID admin.