Sample JCL to create a key ring for RACF

Use the following sample JCL to create a key ring for use with RACF:

Related topic

Creating-SSL-TLS-certificates-for-use-with-UIM-or-MVE

[yourJobCardHere]
//RACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
    RACDCERT ADDRING(yourKeyRingName) ID(yourUserID)
    RACDCERT CONNECT(ID(yourUserID) LABEL('yourCertificateLabel') +
             RING(yourKeyRingName) USAGE(PERSONAL) ) ID(yourUserID)
    RACDCERT CONNECT(CERTAUTH LABEL('yourCAcertificateLabel1') +
             RING(yourKeyRingName) )
    RACDCERT CONNECT(CERTAUTH LABEL('yourCAcertificateLabel2') +
             RING(yourKeyRingName) )
/*
//
Warning

The order in which you add certificates to your key ring is critical. You must begin with the certificate you created, followed by the certificate that signed it, and so on up the chain. The last certificate you add must be the root certificate.

You can determine the correct order by viewing the certificate chain with the Windows certmgr utility or a similar application. The certmgr utility lists certificates starting with the root and proceeding to the site-specific certificates. This is the opposite order from the one you use to add the certificate labels to your JCL.

image2017-9-14_15-50-26.png

The following information explains this JCL:

Statement

Description

ADDRING

Unique name for your key ring

(Optional) ID

User ID to associate with the key ring

If you do not include this subparameter, the key ring is created under your user ID. Because your key ring and CA-signed certificate are both associated with your ID, the ADDRING and CONNECT commands for your certificate both use your ID.

(First instance) LABEL

Personal certificate label

(Subsequent instances) LABEL

Labels of the CA–signed certificates

Use as many of these statements as needed.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*