(ZOS) Enabling writable SAF keyrings
WebSphere Application Server provides the function to allow a WAS administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by utilizing the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task migrates existing configurations and enables writable SAF keyrings.
This task is used for migrating keystore objects that have not been enabled for writable support through profile creation. Writable keyring support is only configurable when running z/OS Release 1.9 or at z/OS Release 1.8 with APAR OA22287 - resource access control facility (RACF ) (or the APAR for our equivalent security product) and APAR OA22295 - SAF.
By default, if writable keyring support is enabled during profile management, the default keystore configurations are enabled for writable keyrings. Alternatively, if migrating from a pervious WAS installation, we can enable writable keyrings for a keystore object using the following steps.
AdminTask can be used in interactive mode and batch mode. For automation the batch mode options should be used. AdminTask batch mode can be called in a JACL or Jython script. Interactive mode steps you through all the parameters the task needs, required ones are marked with a "*". Before the AdminTask runs the task, it echoes the batch mode syntax of the task to the screen. This can be helpful when writing batch mode scripts for automation.
The following attributes are needed to create writable SAF keyring keystore objects:
- keyStoreName
- controlRegionUser
- servantRegionUser
The interactive mode procedure to enable writable SAF keyrings is as follows:
Tasks
- Use interactive mode to step through all attributes and use any default values for attributes (if desired).
The default is in "[]" on the prompt line. The actual flag used in batch mode is in "()" on each prompt line. If we are using the default value then the flag will not show up on the batch command line.
- Use Jacl:
$AdminTask enableWritableKeyrings -interactive- Use Jython:
AdminTask.enableWritableKeyings ('[interactive]')
- Here is an example of output from step (1):
*Keystore Name (keyStoreName): NodeDefaultKeyStore Management Scope Name (scopeName): *Control region userid for z/OS (SAF) (controlRegionUser): CRRACFID *Servant region userid for z/OS (SAF) (servantRegionUser): SRRACFID odify keystore for writable SAF support F (Finish) C (Cancel) Select [F, C]: [F] F WASX7278I: Generated command line: $AdminTask enableWritableKeyrings {-keyStoreName NodeDefaultKeyStore -controlRegionUser CRRACFID -servantRegionUser SRRACFID })
Two additional keystore objects are created that can be accessed using the administrative console to perform certificate operations on the appropriate keyring. The keystore objects are named your_keystore_name -CR and your_keystore_name -SR, where your_keystore_name is the name of the keystore specified on the create command.
your_keystore_name -CR corresponds to the keyring owned by the RACF ID of the control region process and your_keystore_name -SR corresponds to the keystore owned by the RACF ID of the servant region process.
These keystores are created in the same scope as your_keystore_name and can be accessed using the administrative console from the your_keystore_name collection panel.
What to do next
Accessing writable SAF keyrings:
- Click Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Key stores and certificates > [keystore ].
- Under Writable SAF Keyrings, click either Control Region Keyring or Servant Region Keyring to display the keystore collection panel for either the control region keyring or servant region keyring, respectively.
- Under Additional Properties, navigate to the certificate collection panels to perform certificate management operations.
Create writable SAF keyrings Use writable SAF keyrings Configure the root certificate keyring Start the wsadmin scripting client