(ZOS) Create writable SAF keyrings
WebSphere provides the function to allow a WebSphere administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings using the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task creates new keystore configurations and their associated keyrings.
The JCERACFKS keystore is used with the IBMJCE provider or the IBMJCECCA provider. Use the JCERACFKS keystore for certificates and keys that are managed and stored by resource access control facility (RACF ). The uniform resource identifier (URI) path reference for the JCERACFKS keystore is in the form of safkeyring:///your_keyring_name.
The JCERACFKS keystore type, is only available on the z/OS platform.
Important: We must enable support for writable keyrings using the profile management tool prior to generating the application server profiles. Writable keyring support is only configurable when running at z/OS Release 1.9 or at z/OS Release 1.8 with APAR OA22287 - RACF (or the APAR for our equivalent security product) and APAR OA22295 - SAF.
Tasks
- Click Security > SSL certificate and key management . Under Configuration settings, click Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration. Under Related items, click Key stores and certificates. Then click the New button.
- Type a name in the Name field. This name uniquely identifies the keystore in the configuration.
- Type the location of the keystore file in the Path field. The URI must contain safkeyring, for example, safkeyring:///your_keyring_name.
- Type the keystore password in the Password field as "password". To be compatible with the JCE keystore in requiring a password, the JCERACFKS password is "password". Security for this keystore is not really protected using a password as other keystore types, but rather it is based on the identity of the executing thread for protection with RACF. This password is for the keystore file specified in the Path field.
- Select JCERACFKS for the Type and complete the rest of the fields as appropriate.
- Deselect the Read only check box.
- For the control region user field, specify the control region started task user ID (RACF ID) under which the control region SAF keyring is created. The user ID must match the exact RACF ID being used by the control region.
This option only applies when creating writable SAF keyrings on z/OS.
- For the servant region user field, specify the servant region started task user ID (RACF ID) in which the servant region SAF keyring is created. The user ID must match the exact RACF ID being used by the servant region.
This option only applies when creating writable SAF keyrings on z/OS.
- Click OK then click Save to apply these changes to the master configuration.
A keystore is now available to configure SSL connections. Two additional keystore objects are created that may be accessed via the administrative console for performing certificate write operations on the appropriate keyring. The keystore objects are named your_keystore_name -CR and your_keystore_name -SR, where your_store_name is the name of the keystore specified on the create command. your_keystore_name -CR corresponds to the keyring owned by the RACF ID of the control region process and your_keystore_name -SR corresponds to the keystore owned by the RACF ID of the servant region process. These keystores are created in the same scope as your_keystore_name and can be accessed from the administrative console from the your_keystore_name collection panel.
What to do next
We can continue securing communication between the client and server using this keystore file when setting up an SSL configuration. Additionally, we are now able to perform certificate management operations from the administrative console or command task framework on the writable keystore configurations generated by this command.RACF keyring considerations
- Certificate Deletion
- When a certificate is deleted from a RACF keyring, the certificate is not deleted from RACF. It is only disconnected from the keyring. The certificate can be reconnected through RACF if it is accidentally removed from the keyring. If we want the certificate completely deleted from RACF, it must be removed by the RACF administrator.
- Import and Export of Certificates
- During the import and export of certificates to and from managed SAF keystores, if the certificate already exists in RACF under a different label, then it will be connected to the keyring with the existing label regardless of the label we assign the certificate on the import or export command.
- Renewing Certificates
- Certificates are not physically deleted from RACF. The existing certificate label still exists in RACF and renewing certificates will increment the alias (label) of the certificate by appending _1, _2, etc., to the existing certificate label.
Related:
Secure Sockets Layer security for WAS for z/OS Keystore configurations for SSL WAS security for z/OS Use writable SAF keyrings Create a Secure Sockets Layer configuration