Default language.

Sample JCL to create a self signed certificate for RACF

Use the following sample JCL to create a self-signed certificate for use with RACF:

[yourJobCardHere]
//RACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT GENCERT +
         SUBJECTSDN( CN( 'yourServerCom' ) +
                     OU( 'yourOrganizationalUnit' ) +
                     O( 'yourOrganization' ) +
                     L( 'yourLocality' ) +
                     S( 'yourState' ) +
                     C( 'yourCountry' ) ) +
         SIZE(2048) +
         WITHLABEL('yourLabelHere') +
         PCICC(yourPkdsLabelHere) +
         KEYUSAGE( HANDSHAKE )
/*
//

Related topic

Creating-SSL-TLS-certificates-for-use-with-UIM-or-MainView-Explorer

The following information explains this JCL:

Statement

Description

SUBJECTSDN

Combination of subparameters that describes the entity for which the certificate is being created

In this example, the entity is the system on which you will run UIM.

  • CN (Common Name)
    The value that applications such as web browsers use to determine whether the certificate was created for the server that is presenting it.
    If this value does not match the result of DNS lookups, most applications will issue a warning or prevent the connection completely. This value can include an asterisk wildcard. For example, '*.bmc.com' is valid.
  • OU (Organizational Unit)
    The name of your organization, within your enterprise
  • O (Organization)
    The name of your enterprise
  • L (Locality)
    Generally, the city in which your enterprise is headquartered
  • S or ST (State)
    Generally, the state or province in which your enterprise is headquartered
  • C (Country)
    Generally, the two-letter country code in which your enterprise is headquartered

SIZE

Size (in bits) of the private key that is generated and associated with this certificate

The certificate contains a corresponding paired public key that is generated at the same time. Larger keys are more secure. This number is not arbitrary and there are a few predefined values. If you want to change the value, refer to the RACF documentation for other valid values.

WITHLABEL

Unique identifier that RACF uses for your certificate

The identifier can be up to 32 characters, can contain blanks, and can use mixed case. For more information, see the IBM documentation.

PCICC

Private key that is generated for a certificate, when the certificate is generated

The PCICC parameter specifies the type of key to be created. The label that you provide is a unique identifier that RACF uses to identify your private key within the Private Key Data Set (PKDS). The PKDS label must be unique, can be up to 64 character, is not case-sensitive, and must consist of alphanumeric characters (@, #, $) or a period (.). The first character must be alphanumeric, @, #, or $, and you cannot use blanks. For more information, see the IBM documentation.

KEYUSAGE

Declaration of the purpose of this key

You can use keys for a number of purposes, but you must declare them when creating the key. Because this key will be used only for the security handshake (a step in the SSL/TLS protocol), HANDSHAKE is the appropriate value.

Tip

You might find it useful to define multiple URLs for which your certificate is valid. Certificates can contain Subject Alternate Name (SAN) values. The RACDCERT GENCERT command allows you to specify only one SAN by including the ALTNAME parameter:

ALTNAME(DOMAIN('yourDomainHere')) +

You might be able to work around the RACF single-SAN limitation by using wildcards in your SAN value (for example, '*.bmc.com'). For more information about this subparameter, see the RACF documentation.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*