In this section, the procedures using RACF (an example of SAF) and Control-M Configuration Manager are described.

To create keys and certificates using RACF:

1. Create a local CA certificate called MYCA using the following command. Modify the command parameters to reflect the naming conventions used at the installation:

   RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('MYCA') O('BMC') C('US')) KEYUSAGE(CERTSIGN) WITHLABEL('MYCA')

2. Create a private/public key pair and a digital certificate using the following command. The local CA certificate, MYCA, is used for the digital certificate. Replace GATEUSER with the IOAGATE RACF user ID.

   RACDCERT ID(GATEUSER) GENCERT SUBJECTSDN(CN('IOAGATE') O('BMC') C('US'))WITHLABEL('IOAGATE') SIGNWITH(CERTAUTH LABEL('MYCA')) KEYUSAGE(HANDSHAKE)

3. Assign the digital certificate a trusted status using the following command:

   RACDCERT ID(GATEUSER) ALTER (LABEL('IOAGATE')) TRUST

4. Export the digital certificate using the following command:

   RACDCERT CERTAUTH EXPORT(LABEL('MYCA')) DSN('hlq.EXPORT.P12')

5. Add the digital certificate to the client's key database using sslcmd or the Java keytool utility.

To generate certificates with Control-M/EM or "Bring Your Own":

When keys and certificates are generated externally and brought to Control-M/EM for distribution ("Bring Your Own (BYO)" ), the certificates are placed in the same folder as if generated by Control-M/EM.

For use of keys and certificates with Control-D, use the BYO method.

If BYO is used, skip steps 1 & 2, refer to step 3 and continue from step 4.

1. In the Control-M Configuration Manager, choose Tools => System Configuration=> Control-M/EM System Parameters=> Advanced=> CmsCommMode
2. Set the CmsCommMode parameter to auto.
3. In the Control-M Configuration Manager, choose Tools => Security=> Manage SSL=> Generate Component Certificates...

   Two certificates (files) are generated in the Certificate_for Control-M_for_zOS folder.

   For Control-D/WebAcess Server, ready-made certificates can be found in <Installation Path>/config/ssl/ioagte.

   • IOAGATE.PCK12

     This is the certificate which includes the private/public key pair of IOAGATE. This file is encrypted with a password that can be found in the README file created by Control-M/EM or provided in Control-D.

   • CACERT.PEM

     This is the certificate of the CA (Control-M/EM or Control-D) itself that is needed for decrypting IOAGATE.PCK12. If client authentication is required, this certificate is also the certificate of the CA that signed the certificate of the client.

4. FTP IOAGATE.PCK12 to z/OS in binary mode. Assume that the file name on z/OS is IOAGATE.PCK12.

   By default, FTP allocates the new file with the following attributes:

   • Organization: PS
   • Record format: VB
   • Record length: 256
   • Block size: 6233
5. FTP CACERT.PEM to z/OS in ASCII (text) mode. Assume that the file name on z/OS is CACERT.PEM.

   By default, FTP allocates the new file with the following attributes:

   • Organization: PS
   • Record format: VB
   • Record length: 256
   • Block size: 6233
6. Import CACERT.PEM to RACF using the following command:

   RACDCERT CERTAUTH ADD ('CACERT.PEM') WITHLABEL('CACERTXX')

   Choose XX so that the name is unique and does not conflict with an existing name.

7. Create IOAGATERING (if it does not already exist) with the following command:

   RACDCERT ID(GATEUSER) ADDRING(IOAGATERING)

8. Connect CACERTXX to IOAGATERING with the command:

   RACDCERT ID(GATEUSER) CONNECT(CERTAUTH LABEL('CACERTXX') RING(IOAGATERING))

9. Import IOAGATE's certificate with the command:

   RACDCERT ID(GATEUSER) ADD('IOAGATE.PCK12') TRUST WITHLABEL('IOAGATEXX') PASSWORD('ctm_zos_hhmm')

   The hhmm part of the password can be found in the README file generated by Control-M/EM.

10. Connect IOAGATEXX to IOAGATERING with the command

    RACDCERT ID(GATEUSER) CONNECT(ID(GATEUSER) LABEL('IOAGATEXX') RING(IOAGATERING) DEFAULT USAGE(PERSONAL))

11. For connecting to Control-M Configuration Manager and to Control-M/EM, define the following in ECAPARMC and in ECAPARMM CHANNELs:
    • SSL=YES
    • KEYRING=IOAGATERING
    • KEYRLAB=IOAGATEXX

    If client authentication is needed, also specify:

    • CLIAUTH=YES

    Both IOAGATEC and IOAGATEM must have the same SSL definitions.

12. Stop and restart IOAGATEM and IOAGATEC.

    Note: For more information about the CmsCommMode parameter, see the "Control-M/EM" sub-section in the "SSL communication parameters" section in the "Preparing to use SSL" chapter in the Control-M SSL Guide.

For more information about generating the certificates in Control-M/EM, see the "Generating component certificates using the wizard" section in the "Managing certificates" chapter in the Control-M SSL Guide.