Convert ISKLM RACF commands to TSS commands in order to setup security for ISKLM running under Broadcom Top Secret.
Release : 16.0
Component : CA Top Secret for z/OS
//TSSISKLM JOB
//*=============================================================
//* NOTES:
//* ------
//* 1) Please read through the comments carefully before
//* running this job to determine what commands will be
//* needed to setup your own customized environment.
//* All occurrences of 'UID string for ISKLMSRV logonid'
//* should be changed to the UID string for logonid ISKLMSRV.
//*
//* 2) All steps have been coded with PGM=IKJEFT01.
//*
//* 3) All steps should finish with a return code of zero.
//*
//* 4) Please review the results of this job carefully.
//*
//* This batch job is provided for your convenience. A complete
//* write-up on setting up Keyrings and certificated in an CA-Top Secret
//* secured environment can be found in the eTrust CA-Top Secret
//* Security for documentation.
//*
//* For Security Key Lifecycle Manager for z/OS(ISKLM)
//* Keyring/Certificates IBM documentation list three options:
//*
//* 1. Generating a self-signed certificate
//* 2. Generating a certificate signed by an
//* Internal Certificate Authority
//* 3. Generating a certificate signed by a
//* third-party certificate authority
//*
//* This job contains 3 job steps(ISKLMCS1, ISKLMCS2, ISKLMCS3) that
//* correspond to each case. Please run the job step that corresponds
//* to the desired Case.
//*
//*=============================================================
//* Case 1. Generating a self-signed certificate
//*=============================================================
//ISKLMCS1 EXEC PGM=IKJEFT01,REGION=0K
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
*
* Case 1. Generating a self-signed certificate
*
* Create the ISKLM Keyring
*
TSS ADD(isklm_server_acid) Keyring(ISKLMRng) LABLRING(ISKLMSRV.RING)
*
* Create a FACILITY class resource rule to allow the
* ISKLM server to read from its Keyring.
*
TSS ADD(owningacid) IBMFAC(IRR)
TSS PER(isklm_server_acid) IBMFAC(IRR.DIGICERT) ACC(CONTROL)
*
* Generate self-signed ISKLM server certificate
*
TSS GENCERT(CERTSITE) DIGICERT(ISKLMSRV) LABLCERT(ISKLMSRV.CERT) -
SUBJECTN('CN="ITOperations" OU="MyCo" C="US"') -
KEYSIZE(2048)
*
* Send this certificate to other business partners or sites
* within your enterprise.
*
TSS EXPORT(CERTSITE) DIGICERT(ISKLMSRV) -
DCDSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificate to the Security Key Lifecycle Manager
* for z/OS's keyring.
*
TSS ADD(isklm_server_acid) KEYRING(ISKLMRng) -
KEYRING(CERTSITE,ISKLMSRV) USAGE(PERSONAL)
*
* Authorize ISKLM server to CSFKEY
*
TSS PER(isklm_server_acid) CSFKEYS(ITOPS.ISKLM.CERT) ACC(READ)
*
//*
//*=============================================================
//* Case 2: Generating a certificate signed by an
//* Internal Certificate Authority
//*=============================================================
//ISKLMCS2 EXEC PGM=IKJEFT01,REGION=0K
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
*
* Case 2. Generating a certificate signed by an
* Internal Certificate Authority
*
* Create the ISKLM Keyring
*
TSS ADD(CERTAUTH) KEYRING(ISKLMRng) LABLRING(ISKLMSRV.RING)
*
* Create a FACILITY class resource rule to allow the
* ISKLM server to read from its Keyring.
*
TSS ADD(owningacid) IBMFAC(IRR)
TSS PER(isklm_server_acid) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)
*
* Generate a self-signed certificate authority certificate.
*
TSS GENCERT(CERTAUTH) DIGICERT(LOCALCA) LABLCERT('LocalCA') -
SUBJECTN('CN="MyLocalzOSCA" OU="MyCo" C="US"') -
KEYSIZE(2048)
*
* Generate ISKLM server certificate signed with the local certificate
* authority certificate
*
TSS GENCERT(CERTSITE) DIGICERT(ISKLMSRV) LABLCERT('ISKLMServer') -
SUBJECTN('CN="ITOperations" OU="MyCo" C="US"') -
KEYSIZE(2048) SIGNWITH(CERTAUTH,LOCALCA)
*
* Send this certificate to other business partners or sites
* within your enterprise.
*
TSS EXPORT(CERTSITE) DIGICERT(ISKLMSRV) -
DCDSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificates to the Security Key Lifecycle Manager
* for z/OS's Keyring.
*
TSS ADD(ISKLMSRV) KEYRING(ISKLMRng) RINGDATA(CERTSITE,ISKLMSRV) USAGE(PERSONAL)
TSS ADD(ISKLMSRV) KEYRING(ISKLMRng) RINGDATA(CERTAUTH,LOCALCA) USAGE(CERTAUTH)
*
*
* Authorize ISKLM server to CSFKEY
*
*
TSS PER(ISLMSRV) CSFKEYS(ITOPS.ISKLM.CERT) ACC(READ)
*
//*
//*=============================================================
//* Case 3: Generating a certificate signed by a
//* third-party certificate authority
//*=============================================================
//ISKLMCS3 EXEC PGM=IKJEFT01,REGION=0K
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
*
* Case 3. Generating a certificate signed by a
* third-party certificate authority
*
* Create the ISKLM Keyring
*
TSS ADD(isklm_server_acid) KEYRING(ISKLMRng) LABLRING(ISKLMSRV.RING)
*
* Create a FACILITY class resource rule to allow the
* ISKLM server to read from its Keyring.
*
TSS PER(isklm_server_acid) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)
*
* Generate ISKLM server certificate
*
TSS GENCERT(CERTSITE) DIGICERT(ISKLMSRU) LABLCERT('Unsigned_ISKLMServer') -
SUBJECTN('CN="ITOperations" OU="MyCo" C="US"') -
KEYSIZE(2048)
*
* Generate and save a certificate request to a dataset
*
TSS GENREQ(CERTSITE) DIGICERT(ISKLMSRV) DCDSN('hlq.PUBKEY.S2048.ITOPS')
*
* Submit certificate request, hlq.PUBKEY.S2048.ITOPS to your certificate
* provider. The response you receive is an X.509 certificate.
* Receive the response into dataset 'hlq.THIRD.PARTY.CERT'.
* INSERT/Add the certificate to Top Secret.
*
TSS ADD(CERTSITE) DIGICERT(ISKLMSRV) DCDSN('hlq.THIRD.PARTY.CERT') -
LABEL(ISKLMServer) TRUST
*
* Send this certificate to other business partners or sites
* within your enterprise.
*
TSS EXPORT(CERTSITE) DIGICERET(ISKLMSRV) -
DCDSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificates to the Security Key Lifecycle Manager
* for z/OS's keyring. Change the CERTDATA(CERTAUTH.external) and
* LABEL(External CA label) to the appropriate values for
* third-party certificate authority that your site used.
*
TSS ADD(isklm_server_acid) KEYRING(ISKLMRng) -
RINGDATA(CERTSITE,ISKLMSRV) USAGE(PERSONAL)
TSS ADD(isklm_server_acid) KEYRING(ISKLMRng) -
RINGDATA(CERTAUTH,external) USAGE(CERTAUTH)
*
*
* Authorize ISKLM server to CSFKEY
*
*
TSS PER(isklm_server_acid) CSFKEYS(ITOPS.ISKLM.CERT) ACC(READ)
*
//*