Key pairs and certificates can either be created for IOAGATE by using RACF on the mainframe and then certified with an external CA or they can be generated outside the mainframe and then imported to the mainframe. These procedures are described in this section.

To certify keys created with RACF using an external CA:

1. Define a local CA certificate and a digital certificate for IOAGATE as described in the first steps of the following procedure: "To create keys and certificates using RACF" in Using the basic methods - RACF or Control-M Configuration Manager.
2. Generate a certificate request for IOAGATE, using following command:

   RACDCERT ID(GATEUSER) GENREQ (LABEL('IOAGATE')) DSN('hlq.GENREQ')

   The GENREQ command generates a certificate request in PKCS#10 format, based on an existing certificate with a private key and writes it to hlq.GENREQ.

3. Send the resulting file to a CA for signing. The reply from the CA contains the signed certificate.
4. FTP (in ASCII mode) the reply from the CA to the mainframe, replacing the IOAGATE certificate.

   The following command assumes that the certificate has been uploaded into the hlq.NEWCERT.PEM data set:

   RACDCERT ID(GATEUSER) ADD('hlq.NEWCERT.PEM')  TRUST WITHLABEL('IOAGATE')

To create keys and certificates externally and afterwards importing them to the mainframe:

1. Generate and export the certificate to be used by IOAGATE including the private key in PKCS#12 format.

   The exact generation and export process depends on the platform and tool being used, and is not described here. The export process will request a password for encrypting the generated file. This password is needed in the next step.

2. FTP (in ASCII mode) the certificate of the CA, which signed the IOAGATE’s keys and certificates, to the mainframe and import it:

   RACDCERT CERTAUTH ADD('hlq.CACERT1.PEM') WITHLABEL('CACERT1')

3. FTP the PKCS#12 file to the mainframe to a sequential file and import it:

   The PKCS#12 file must be transferred either in binary or in ASCII format, depending on the exact encoding of the PKCS#12 file. If the file is encoded using Base64 then it must be transferred in ASCII mode. Determine the required transfer mode by examining the first line. If the first line is "-----BEGIN CERTIFICATE-----", use ASCII format. Otherwise use binary format.

   The following assumes that the file has been uploaded to the 'hlq.GATECERT.P12' data set and that it has been encrypted with the password abcd1234:

   RACDCERT ID(GATEUSER) ADD('hlq.GATECERT.P12') TRUST WITHLABEL('IOAGATE') PASSWORD('abcd1234')

   Regardless of which of the above methods is used, the following steps are required:

To create a keyring:

1. Create the RACF keyring for IOAGATE.

   The following command creates a keyring named IOAGATERING for user ID GATEUSER:

   RACDCERT ID(GATEUSER) ADDRING(IOAGATERING)

2. Connect IOAGATE’s certificate to the keyring.

   The certificate containing the private key used for decryption must be connected to the user's keyring as the default certificate:

   RACDCERT ID(GATEUSER) CONNECT(ID(GATEUSER) LABEL('IOAGATE')  RING(IOAGATERING) DEFAULT USAGE(PERSONAL))

3. Connect CA’s certificate to the keyring.

   RACDCERT ID(GATEUSER) CONNECT(CERTAUTH LABEL('CACERT1')  RING(IOAGATERING)

To add client authentication:

1. FTP (in ASCII mode) the CA's certificate to the mainframe and import it:

   RACDCERT CERTAUTH ADD('hlq.CACERT.PEM') WITHLABEL('CACERT')

2. Connect the CA's certificate to IOAGATE's keyring:

   RACDCERT ID(GATEUSER) CONNECT(CERTAUTH LABEL('CACERT') RING(IOAGATERING))