+

Search Tips   |   Advanced Search

(ZOS) Importing a signer certificate from a truststore to a z/OS keyring

We can import a signer certificate, which is also called a certificate authority (CA) certificate, from a truststore on a non-z/OS platform server to a z/OS keyring.


Tasks

  1. On the non-z/OS platform server, change to the install_root/bin directory and start the iKeyman utility, which is called ikeyman.bat (Windows) or ikeyman.sh (UNIX). The install_root variable refers to the installation path for WebSphere Application Server.

  2. Within the iKeyman utility, open the server truststore. The default server truststore is called the trust.p12 file. The file is located in the $[USER_INSTALL_ROOT}/config/cells/cell/nodes/node directory. The default password is WebAS.

  3. Extract the signer certificate from the truststore using the ikeyman utility. Extract the signer certificate:

    1. Select Signer certificates from the menu.

    2. Select root from the list.

    3. Select Extract.

    4. Select the correct data type. The signer_certificate can have either a Base64-encoded ASCII data type or a Binary DER data type.

    5. Specify the fully qualified path and the file name of the certificate.

  4. From an FTP prompt on the non-z/OS platform server, type ascii to change the file transfer to ascii mode.

  5. We can ftp the certificate to the z/OS platform either as a file in the Hierarchical File System (HFS) or as an MVS dataset. To ftp as a dataset:, from an FTP prompt on the non-z/OS platform server, type put 'signer_certificate' mvs.dataset. The signer_certificate variable refers to the name of the signer certificate on the non-z/OS platform server. The mvs.dataset variable is the data set name to which the certificate was exported.

    To ftp as a file in the HFS from an FTP prompt on the non-z/OS platform server, type put 'signer_certificate' file_name. The signer_certificate variable refers to the name of the signer certificate on the non-z/OS platform server. The file_name variable is the name of the file in the HFS to which the certificate was exported.

    The RACDCERT CERTAUTH ADD command in the next step works with a Multiple Virtual Storage (MVS) data set only. We can either turn the certificate file into a binary MVS data set or use the put command with an HFS file, and then use the following command to copy the file into a MVS data set:

    cp -B /u/veser/Cert/W21S01N.p12 "//'VESER.CERT.W21S01N'"
    

  6. On the z/OS platform server, go to option 6 in the Interactive System Productivity Facility (ISPF) dialog panels and issue the following commands as a super user to add the signer certificate to the z/OS keyring:

    1. Type RACDCERT CERTAUTH ADD ('signer_certificate') WITHLABEL('WebSphere Root Certificate') TRUST . The WebSphere Root Certificate variable refers to the label name for the certificate authority (CA) certificate that we are importing from a non-z/OS platform server. The keyring_name variable refers to the name of the z/OS keyring used by the servers in the cell.

    2. Type RACDCERT ID(ASCR1) CONNECT(CERTAUTH LABEL('WebSphere Root Certificate') RING(keyring_name)

    3. Type RACDCERT ID(DMCR1) CONNECT(CERTAUTH LABEL('WebSphere Root Certificate') RING(keyring_name)

    4. Type RACDCERT ID(DMSR1) CONNECT(CERTAUTH LABEL('WebSphere Root Certificate') RING(keyring_name) In the previous commands, ASCR1, DMCR1, and DMSR1 are the RACF IDs under which the started tasks for the cell run in WAS for z/OS. The ASCR1 value is the RACF ID for the application server control region. The DMCR1 value is the RACF ID for the deployment manager control region. The DMSR1 value is the RACF ID for the deployment manager server region.

After completing these steps, the z/OS keyring contains the signer certificates that originated on the non-z/OS platform server.


What to do next

To verify that the certificates were added, use option 6 on the ISPF dialog panel and type the following command:
RACDCERT ID(CBSYMSR1) LISTRING(keyring_name) 

The CBSYMSR1 value is the RACF ID for the application server region.

Although iKeyman is supported for WAS v6.1, customers are encouraged to use the administrative console to export signer certificates.

  • Exporting a signer certificate from WAS for z/OS to a truststore