Key pairs and certificates can either be created for IOAGATE by using RACF on the mainframe and then certified with an external CA or they can be generated outside the mainframe and then imported to the mainframe. These procedures are described in this section.
To certify keys created with RACF using an external CA:
RACDCERT ID(GATEUSER) GENREQ (LABEL('IOAGATE')) DSN('hlq.GENREQ')
The GENREQ command generates a certificate request in PKCS#10 format, based on an existing certificate with a private key and writes it to hlq.GENREQ.
The following command assumes that the certificate has been uploaded into the hlq.NEWCERT.PEM data set:
RACDCERT ID(GATEUSER) ADD('hlq.NEWCERT.PEM')
TRUST WITHLABEL('IOAGATE')
To create keys and certificates externally and afterwards importing them to the mainframe:
The exact generation and export process depends on the platform and tool being used, and is not described here. The export process will request a password for encrypting the generated file. This password is needed in the next step.
RACDCERT CERTAUTH ADD('hlq.CACERT1.PEM') WITHLABEL('CACERT1')
The PKCS#12 file must be transferred either in binary or in ASCII format, depending on the exact encoding of the PKCS#12 file. If the file is encoded using Base64 then it must be transferred in ASCII mode. Determine the required transfer mode by examining the first line. If the first line is "-----BEGIN CERTIFICATE-----", use ASCII format. Otherwise use binary format.
The following assumes that the file has been uploaded to the 'hlq.GATECERT.P12' data set and that it has been encrypted with the password abcd1234:
RACDCERT ID(GATEUSER) ADD('hlq.GATECERT.P12') TRUST WITHLABEL('IOAGATE') PASSWORD('abcd1234')
Regardless of which of the above methods is used, the following steps are required:
To create a keyring:
The following command creates a keyring named IOAGATERING for user ID GATEUSER:
RACDCERT ID(GATEUSER) ADDRING(IOAGATERING)
The certificate containing the private key used for decryption must be connected to the user's keyring as the default certificate:
RACDCERT ID(GATEUSER) CONNECT(ID(GATEUSER) LABEL('IOAGATE')
RING(IOAGATERING) DEFAULT USAGE(PERSONAL))
RACDCERT ID(GATEUSER) CONNECT(CERTAUTH LABEL('CACERT1')
RING(IOAGATERING)
To add client authentication:
RACDCERT CERTAUTH ADD('hlq.CACERT.PEM') WITHLABEL('CACERT')
RACDCERT ID(GATEUSER) CONNECT(CERTAUTH LABEL('CACERT') RING(IOAGATERING))
Parent Topic |