Creating a CA–signed certificate
Use the following procedure to implement a certificate signed by a Certificate Authority (CA). You will have a self-signed certificate signed by a CA and then import the certificate into your SAF.
- Create a self-signed certificate or select one that already exists (see Creating-a-self-signed-certificate).
- Create a Certificate Signing Request (CSR):
- Create the GENREQ job by using one of the following JCL samples:
- Run the job.
The job creates a base-64 encoded version of the certificate, signed by its own
private key.
- Create the GENREQ job by using one of the following JCL samples:
Send the CSR to a CA, and provide the required information (which varies, depending on which CA you use).
You might need to send the certificate via FTP to a local machine in order to email it to the CA for signing. If so, use ASCII mode for the FTP transfer. You should be able to open the request with a text editor and confirm that it resembles this sample request:-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDIDCCAggCAQAwgYExCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEQMA4G
A1UEBxMHSG91c3RvbjEZMBcGA1UEChMQQk1DIFNvZnR3YXJlIEluYzEVMBMGA1UE
CxMMUUFQMS5CTUMuQ09NMR4wHAYDVQQDExVCTUNETkEuUUEuVUlNLkNBMUNFUlQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+HA+GGrh+F03sfVAaaaY2
OFMrwAuHMAngpD8DVUqaI+jdml5teIdA8T7rlbUpZKSaxgIzUXWGK8MPQuG1DimA
qm2SrwjLIyeOpsahfs3S95VyhHcTv+gH1RpIdJpnfwRByX2iGVhKPW84/H52hPm4
1D8hlppKdlYePR50IBYtX5ulIHSxOKS50vyuxHjPxNRsfteHze/lonVp86YmhqF4
CW5iKV5bg3NbhBulI2iu2sc6sEUxEDyuwdQHqz3qyK/kx/iS/dea7fHaiXuCj1wW
EUn0yWJq0aXL+9+FSDt54jhp5UA4dnsZmhvjvW8kmISZHr7fUnQvBU9uddLbN/4X
AgMBAAGgWTBXBgkqhkiG9w0BCQ4xSjBIMBcGA1UdEQQQMA6CDFFBUDEuQk1DLkNP
TTAdBgNVHQ4EFgQUxL9/j3WxokvMW3hf3TgBBfaZEP0wDgYDVR0PAQH/BAQDAgSw
MA0GCSqGSIb3DQEBCwUAA4IBAQCRTbFnmBW+tfR6YAlGMlrqZUi7R8v77TODOR9/
pCzUh12i9/B8PKZBeC7Hm8YHdR8ZIY/fMwi9ZSEY8WZsNA0FYYfmg5+Vv00ObqvR
fpZpaJYqXPuu6ZdMU/Q/YXdr332Kk82Ei9jM1UsSH4sthkZC2BCnRg3nSB23FX3W
erDimdgzynwh+vBEDZKOces3PGhdOGuoBs8M1KkrZlY10Mkh2FGYQcbyD8SLUod7
gqS+1VU2X1iJWrJ0dhmmcDscscTzLb87Sd9LoS6mOUAx3m6f6+EVpseUUieL9eEh
TM4iSdYhDPXOJE0z3oTo7zXjB0D/M3/1DQOi88wzf3BXFuNq
-----END NEW CERTIFICATE REQUEST------ Retrieve and upload the signed certificate from the CA:
When the CA returns the certificate chain (typically a PFX file type, which conforms to the PKCS#12 standard), browse and verify it.
You can use the Microsoft Windows certmgr utility or a similar application to verify that certificate looks correct:
- Upload the signed certificate to your IBM z/OS environment by using FTP in binary mode to prevent data corruption.
- Import and run the CA–signed certificate:
- Import the certificate into your SAF by using one of the following JCL samples:
- Run the job.
- (Required for RACF; optional for CA ACF2) Determine the labels of intermediate and root CA–signed certificates.
The label values are needed to create a key ring for RACF. These values might be in the output of your ADD (for RACF) or INSERT (for CA ACF2) job. If not, use the following procedure:Use one of the following JCL samples to determine the labels:
- Sample JCL if you use RACF:
[yourJobCardHere]
//RACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT CERTAUTH LIST
/*
//
- Sample JCL if you use CA ACF2:
[yourJobCardHere]
//ACFJOB EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSLBC DD DISP=SHR,DSN=dataSetName
//SYSHELP DD DISP=SHR,DSN=dataSetName
//SYSIN DD *
SET PROFILE(USER) DIV(CERTDATA)
LIST (-)
/*
//
- Sample JCL if you use RACF:
- Run the job.
The output includes all CA certificates, which should include any certificates in your certificate chain. You can identify the certificates by matching their attributes (such as subject name and serial number) to the certificate chain in the certmgr utility.
- Create a key ring:
- Create a key ring for your SAF by using one of the following JCL samples:
- Run the job.
- Create a key ring for your SAF by using one of the following JCL samples:
- Update the UIM startup configuration member to use a CA–signed certificate:
Specify your key ring.
Add or update the following parameter in the configuration member:
<BMC_PARM ID="SSL_STORE" VALUE="R_DATALIB">
<BMC_PARM ID="SSL_CERTIFICATE"
VALUE="userID/yourKeyRingLabel" />
</BMC_PARM>Specifying R_DATALIB for the SSL_STORE VALUE attribute indicates that the certificate is attached to a key ring.
SSL_CERTIFICATE specifies the label for the key ring that you created and its associated user ID (both of which are required for UIM to access the key ring). This value must be a user ID, followed by a forward slash ( / ), followed by the key ring label. No additional white spaces can be present.Specify your private key.
Add or update the following parameter in the configuration member:<BMC_PARM ID="SSL_STORE" VALUE="ICSF">
<BMC_PARM ID="SSL_PRIVATE_KEY"
VALUE="yourPkdsLabel"/>
</BMC_PARM>Specifying ICSF for the SSL_STORE VALUE attribute indicates that the private key associated with your certificate is stored in the ICSF Private Key Data Set (PKDS).
The SSL_PRIVATE_KEY VALUE attribute provides UIM with the unique identifier of the private key associated with your certificate. Specify the same PKDS label value that you used when creating the initial, self-signed version of your certificate. This value should be the same value you used during your ADD (for RACF) or INSERT (for ACF2) command.- Specify the UIM encryption level.
Add or update the following parameter in the configuration member:
<BMC_PARM ID="ENCRYPTION_LEVEL" VALUE="SSL-IF" />
BMC recommends using the value SSL-IF. In this mode (SSL/TLS Conditional), UIM accepts both SSL-enabled and non-SSL-enabled connections.
Alternatively, you can specify SSL-REQUIRED, which runs UIM in SSL/TLS Required mode. In this mode, UIM rejects all connection attempts that are not SSL enabled. Consequently, any UIM URLs that you have accessed via a web browser become unavailable; only their equivalent URLs beginning with https:// will be available.
- Verify the results:
- If the UIM task is running, stop it.
Start or restart the UIM task.
The MSGLOG output DD lists the UIM settings and includes your certificate and private key labels:
13:15:26.939 001 BMC340110I HTPMain **Initialized**
13:15:26.939 001 BMC340116I UIM Server started with these settings:
*********************************************************************
…
13:15:26.940 001 SSL/TLS Encryption: Conditional
13:15:26.940 001 Certificate Store: DSN
13:15:26.940 001 SSL Certificate: yourCertificateDSN
13:15:26.940 001 Private Key Store: ICSF
13:15:26.940 001 SSL Private Key: yourPkdsLabelStart a console session.
Until now, you have installed or launched BMC consoles by entering a URL in this format in a web browser:
http://host:port
When using SSL/TLS, you now use an equivalent secure URL in this format:
https://host:port