Creating a self-signed certificate
- Create a self-signed certificate:
- Create the GENCERT job by using one of the following JCL samples:
- Run the GENCERT job.
After the job runs successfully, the certificate will reside within RACF or CA ACF2. - (Optional) Verify the presence of your certificate by using one of the following JCL samples to list all of the certificates associated with your user ID:
- For RACF
[yourJobCardHere]
//RACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ID(yourUserID) LIST
/*
// For CA ACF2
[yourJobCardHere]
//ACFJOB EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSLBC DD DISP=SHR,DSN=dataSetName
//SYSHELP DD DISP=SHR,DSN=dataSetName
//SYSIN DD *
SET PROFILE(USER) DIV(CERTDATA)
LIST yourUserID
/*
//
For CA ACF2, the output also includes the suffix that CA ACF2 generated for your user ID (for example, AUTO002). All subsequent commands for this certificate must include that suffix when specifying the user ID.
- For RACF
- Export the self-signed certificate to a data set:
- Create the EXPORT job by using one of the following JCL samples:
- Run the EXPORT job.
After the job runs successfully, the certificate resides in the specified data set.
- Create the EXPORT job by using one of the following JCL samples:
- Update the UIM Startup configuration member to use a self-signed certificate:
- Specify your certificate data set.
Add or update the following parameter in the configuration member:
<BMC_PARM ID="SSL_STORE" VALUE="DSN"><BMC_PARM ID="SSL_CERTIFICATE"
VALUE="exportTargetDataSet" />
</BMC_PARM>
Specifying DSN for the SSL_STORE VALUE attribute indicates that the certificate is stored in a data set.
The SSL_CERTIFICATE VALUE attribute specifies the data set that contains the certificate. Specify the name of the data set that you created with the EXPORT command. - Specify your private key.
Add or update the following parameter in the configuration member:
<BMC_PARM ID="SSL_STORE" VALUE="ICSF"><BMC_PARM ID="SSL_PRIVATE_KEY" VALUE="pkdsLabel" />
</BMC_PARM>
Specifying ICSF for the SSL_STORE VALUE attribute indicates that the private key associated with your certificate is stored in the ICSF Private Key Data Set (PKDS).
The SSL_PRIVATE_KEY VALUE attribute provides UIM with the unique identifier of the private key associated with your certificate. Specify the label that you used when you created the certificate with the GENCERT command. - Specify the UIM encryption level.
Add or update the following parameter in the configuration member:
<BMC_PARM ID="ENCRYPTION_LEVEL" VALUE="SSL-IF" />
BMC recommends using SSL-IF for the value. In this mode (SSL/TLS Conditional), UIM accepts both SSL-enabled and non-SSL-enabled connections.
Alternatively, you can specify SSL-REQUIRED, which runs UIM in SSL/TLS Required mode. In this mode, UIM rejects all connection attempts that are not SSL enabled. Consequently, any UIM URLs that you have accessed via a web browser become unavailable; only their equivalent URLs beginning with https:// will be available.
- Specify your certificate data set.
- Verify the results:
- If the UIM task is running, stop it.
Start or restart the UIM task.
The MSGLOG output DD lists the UIM settings and includes your certificate and private key labels:13:15:26.939 001 BMC340110I HTPMain **Initialized**
13:15:26.939 001 BMC340116I UIM Server started with these settings:
*********************************************************************
…
13:15:26.940 001 SSL/TLS Encryption: Conditional
13:15:26.940 001 Certificate Store: DSN
13:15:26.940 001 SSL Certificate: yourCertificateDSN
13:15:26.940 001 Private Key Store: ICSF
13:15:26.940 001 SSL Private Key: yourPkdsLabelStart a console session.
Until now, you have installed or launched BMC consoles by entering a URL in this format in a web browser:
http://host:port
With SSL/TLS, you now use an equivalent secure URL in this format:
https://host:port