+

Search Tips   |   Advanced Search

(ZOS) Create SSL digital certificates and SAF keyrings that applications can use to initiate HTTPS requests

Create SSL digital certificates and System Authorization Facility (SAF) keyrings that applications can use to initiate HTTPS requests.

The owner of the SAF keyring (and personal keys) must be the MVS™ user ID established by the servant region's STARTED class profile. This user ID must be the owner because these applications run in the WebSphere Application Server for z/OS servant region address. This user ID is different than the WAS for z/OS controller user ID.

If we use keystores and trust stores in a Hierarchical File System (HFS), a file name uniquely identifies the file within the file system.


Tasks

  1. If we are using Resource Access Control Facility (RACF ) as our security server, we can generate a personal keyring to be used by the HTTPS application by specifying:

      RACDCERT ID(ASSR1) GENCERT  SUBJECTSDN(CN('J2EE SERVER') O('Z/OS WEBSPHERE') 
      L('POUGHKEEPSIE') SP('NEW YORK') C('US')) SIZE(512) 
      WITHLABEL('ASSR1 SERVER CERTIFICATE') SIGNWITH(CERTAUTH LABEL('PVT CA'))
      

    In this example, the certificate authority used to generate the unique servant region certificate is the same one used to generate the certificates for the WAS for z/OS servers by the customization job.

  2. Create a keyring with the same name used for the control region user ID:
    RACDCERT ADDRING(S1GRING) ID( ASSR1 )
    
    The new keyring is owned by the servant user ID for the certificate authority certificate and the servant server certificate.

  3. We must have a certificate authority certificate (a certificate from a certificate authority). We might choose to use the same certificate authority to generate a certificate used by HTTPS applications, which is similar to the certificate used for WAS runtime processing. The certificate authority certificate used to create the digital certificates is used by the WAS Runtime, and is created during system customization (and can be created by the WebSphere z/OS Profile Management Tool or the zpmt command). We can connect this certificate authority certificate to the keyring we just created by specifying:

      RACDCERT ID(ASSR1) CONNECT (RING(S1GRING) LABEL('PVT CA') CERTAUTH)
      
    For this example:

    • S1GRING represents the RACF keyring
    • ASSR1 represents the servant user ID
    • PVT CA represents the certificate authority

    that if the target of the request is another WAS for z/OS server, we must also import the certificate authority certificate used by the WAS for z/OS HTTPS repertoire (which is generally set up during customization) into your keyring if it is different than the certificate signer. If authentication using client certificates is requested, we must also import the certificate authority of the application into the HTTPS repertoire.

  4. Connect the personal certificate to your keyring:

      RACDCERT ID(ASSR1) CONNECT(ID(ASSR1) LABEL('ASSR1 SERVER CERTIFICATE') RING(S1GRING) DEFAULT)
      
    For this example:

    • S1GRING represents the RACF keyring
    • ASSR1 represents the servant user ID
    • ASSR1 SERVER CERTIFICATE represents the server certificate for servant user ID

  5. Enter the customizable information that needs to be unique across a sysplex. This can include the:

    • Subject's public key
    • Subject's Distinguished Name (which uniquely identifies an entity in an X.509 certificate)

      • Common Name
      • Title
      • Organization name
      • Organizational Unit name
      • Locality name
      • State or Province name
      • Country

    • Distinguished Name of the certificate authority that is issuing the certificate
    • Date from which the certificate is valid
    • Expiration date of the certificate
    • Version number
    • Serial number

  6. Verify the output of our customization jobs to see what is set up. Look at HLQ.DATA.(BBOWBRAK, BBOSBRAK if they were saved), and record the settings of the certificate authority certificate label, the servant region's started task identity. To use an existing repertoire definition for web services, the keyring name created.

Consider that:

Some digital certificate and keyring management is required to edit and use the sslConfig property, which is one of the user-definable ibm-webservicesclient-bnd.xmi assembly properties. .

  • Prepare for security at installation time