Digital Certificate Setup for TCPIP With A 3rd Party Certificate Authority
search cancel

Digital Certificate Setup for TCPIP With A 3rd Party Certificate Authority

book

Article ID: 11596

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction

Setting up SSL with TCPIP.



Is there an example to setup TCPIP with SSL using a 3rd Party Root Certificate?

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

1.Generate a certificate for the TCP started task with the TSS GENCERT command:

Example:

TSS GENCERT(TCP) DIGICERT(TCPCERTU) -
SUBJECTN('O="COMPANYA" CN=" TCP cert" -
OU="SYSTEMSDEPT" C="US" ') -
LABLCERT('TCPCERTU')

•In this example TCP is the region acid.
•TCPCERTU is the unsigned digital certificate name in CA TOP SECRET.
•The LABELCERT is 'TCPCERTU'.
•Modify the SUBJECTN to your site standards.

2. Send the certificate out to be signed:
TSS GENREQ(TCP) DIGICERT(TCPCERTU) DCDSN(datasetname)

Note: Dataset must not exist and user authorized to the dataset name.

3. Once you get the certificate back from being signed,
add the signed certificate and Certificate Authority to the Security File.

TSS ADD(CERTAUTH) DIGICERT(TCPCA) DCDSN(CA.cert.dataset) TRUST
TSS ADD(TCP) DIGICERT(TCPCERTS) DCDSN(signed.cert.dataset) TRUST


4.Create the TCP KEYRING with the TSS ADD command.

Example:

TSS ADD(TCP) KEYRING(TCPRING) -
LABLRING('TCPRING')


5.Add the certificates to the KEYRING with the TSS ADD command.

Example:


TSS ADD(TCP) KEYRING(TCPRING) -
RINGDATA(CERTAUTH,TCPCA) USAGE(CERTAUTH)

TSS ADD(TCP) KEYRING(TCPRING) -
RINGDATA(TCP,TCPCERTS) USAGE(PERSONAL) DEFAULT


6.Specify the TCP KEYRING to be used via TCP/IP profile KEYRING parameter.

Example:

"KEYRING SAF TCPRING"


7.Permit FTP acid to SSL KEYRING, certificates and mappings via TSS PERMIT command:

TSS PER(TCP) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
TSS PER(TCP) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
TSS PER(TCP) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)

Note: If acid CERTSITE is the owner of the certificate, ACC(CONTROL) needs to be specified instead of ACC(UPDATE).