Create key rings for Advanced Message Security
Certificates used by Advanced Message Security (AMS) for signing and encryption are stored in z/OS SAF key rings. You need to create these key rings and certificates before we can use AMS.
Advanced Message Security accesses certificates in the following
key rings:
- A single key ring owned by the AMS address space user.
- Key rings owned by the individual users that send or receive messages on queues with AMS policies defined.
These key rings must all be named drq.ams.keyring.
There is more information on key rings and certificates used by AMS, and an example scenario, in Use certificates on z/OS.
Follow these steps to create the key rings required by AMS, and connect certificates to the key rings. We must create the key ring owned by the AMS address space user before starting AMS. We can create the keys rings owned by the users that send or receive messages at any time.
Procedure
-
Issue the following command to create a key ring owned by the
AMS address space user:
RACDCERT ID(amsUser) ADDRING(drq.ams.keyring)
where amsUser is the user ID of the AMS address space. - Create a key ring for each user that sends or receives messages protected by AMS by issuing the command in step 1 for each user ID.
-
Connect the certificate authority (CA) certificate for the issuer of the user certificates to the key ring
owned by the AMS address space user ID. Issue the following
command:
RACDCERT ID(amsUser) CONNECT(CERTAUTH LABEL('caLabel') RING(drq.ams.keyring))
where amsUser is the user ID of the AMS address space, and caLabel is the label of the CA certificate.If we are using RACF as your CA, and need to create a certificate authority certificate, follow the example in Defining a local Certificate Authority certificate.
-
If we are using privacy or confidentiality security policies to encrypt messages on queues
protected by AMS, connect the certificates of
message recipients to the key ring owned by the AMS address space user ID. Issue the following
command:
RACDCERT ID(amsUser) CONNECT(ID(userId) LABEL('certLabel') RING(drq.ams.keyring) USAGE(SITE))
where amsUser is the user ID of the AMS address space, userId is the message recipient, and certLabel is the label of the user's certificate.The USAGE(SITE) attribute prevents the private key from being accessible in the key ring.
If we are creating your own certificates with RACF, follow the example in Create a digital certificate with a private key to create the certificate.
-
Connect the certificates of each user that sends or receives messages protected by
AMS to a key ring owned by the user. The certificate must be
connected as the default certificate in the key ring. Issue the following command:
RACDCERT ID(userId) CONNECT(ID(userId) LABEL('certLabel') RING(drq.ams.keyring) DEFAULT USAGE(PERSONAL))
where userId is the user that is sending or receiving messages, and certLabel is the label of the user's certificate.