+

Search Tips   |   Advanced Search

(zos)

Enable writable SAF keyrings

WebSphere Application Server provides the function to allow a WAS administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by utilizing the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task migrates existing configurations and enables writable SAF keyrings.

This task is used for migrating keystore objects that have not been enabled for writable support through profile creation. Writable keyring support is only configurable when running z/OS Release 1.9 or at z/OS Release 1.8 with APAR OA22287 - resource access control facility (RACF ) (or the APAR for the equivalent security product) and APAR OA22295 - SAF.

Before starting this task, wsadmin.sh must be running. See the information about starting the wsadmin scripting client.

By default, if writable keyring support is enabled during profile management, the default keystore configurations are enabled for writable keyrings. Alternatively, if migrating from a pervious WebSphere Application Server installation, we can enable writable keyrings for a keystore object using the following steps.

  • AdminTask can be used in interactive mode and batch mode. For automation the batch mode options should be used. AdminTask batch mode can be called in a JACL or Jython script. Interactive mode steps you through all the parameters the task needs, required ones are marked with a "*". Before the AdminTask runs the task, it echoes the batch mode syntax of the task to the screen. This can be helpful when writing batch mode scripts for automation.

    The following attributes are needed to create writable SAF keyring keystore objects:

    • keyStoreName

    • controlRegionUser

    • servantRegionUser

    The interactive mode procedure to enable writable SAF keyrings is as follows:

    1. Use interactive mode to step through all attributes and use any default values for attributes (if desired).

      The default value is in "[]" on the prompt line. The actual flag used in batch mode is in "()" on each prompt line. For the default value then the flag will not show up on the batch command line.

      • Jacl:

          $AdminTask enableWritableKeyrings -interactive

      • Jython:

          AdminTask.enableWritableKeyings ('[interactive]')

    2. Here is an example of output from step (1):
      *Keystore Name (keyStoreName): NodeDefaultKeyStore
      Management Scope Name (scopeName):
      *Control region userid for z/OS (SAF) (controlRegionUser): CRRACFID
      *Servant region userid for z/OS (SAF) (servantRegionUser): SRRACFID
       Modify keystore for writable SAF support  F (Finish)
      C (Cancel)
       Select [F, C]: [F] F
      WASX7278I: Generated command line: $AdminTask enableWritableKeyrings {-keyStoreName NodeDefaultKeyStore  -controlRegionUser CRRACFID -servantRegionUser SRRACFID })


    Results

    Two additional keystore objects are created that can be accessed using the console to perform certificate operations on the appropriate keyring. The keystore objects are named your_keystore_name -CR and your_keystore_name -SR, where your_keystore_name is the name of the keystore specified on the create command.


    your_keystore_name -CR corresponds to the keyring owned by the RACF ID of the control region process and your_keystore_name -SR corresponds to the keystore owned by the RACF ID of the servant region process. These keystores are created in the same scope as your_keystore_name and can be accessed using the console from the your_keystore_name collection panel.


    What to do next

    Access writable SAF keyrings:

    1. Click Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Key stores and certificates > [keystore ].

    2. Under Writable SAF Keyrings, click either Control Region Keyring or Servant Region Keyring to display the keystore collection panel for either the control region keyring or servant region keyring, respectively.

    3. Under Additional Properties, navigate to the certificate collection panels to perform certificate management operations.


    Related tasks

  • Create writable SAF keyrings
  • Use writable SAF keyrings
  • Configure the root certificate keyring
  • Start the wsadmin scripting client