Convert ISKM RACF commands to TSS commands

book

Article ID: 144226

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Convert ISKLM RACF commands to TSS commands in order to setup security for ISKLM running under Broadcom Top Secret.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

//TSSISKLM JOB   
//*=============================================================      
//* NOTES:                                                            
//* ------                                                            
//* 1) Please read through the comments carefully before              
//*    running this job to determine what commands will be            
//*    needed to setup your own customized environment. 
//*    All occurrences of 'UID string for ISKLMSRV logonid'
//*    should be changed to the UID string for logonid ISKLMSRV.             
//*                                                                   
//* 2) All steps have been coded with PGM=IKJEFT01.  
//*                                                                   
//* 3) All steps should finish with a return code of zero.            
//*                                                                   
//* 4) Please review the results of this job carefully.               
//*                                                                   
//* This batch job is provided for your convenience. A complete       
//* write-up on setting up Keyrings and certificated in an CA-Top Secret  
//* secured environment can be found in the eTrust CA-Top Secret            
//* Security for documentation.     
//* 
//* For Security Key Lifecycle Manager for z/OS(ISKLM) 
//* Keyring/Certificates IBM documentation list three options:                                 
//*  
//* 1. Generating a self-signed certificate                                   
//* 2. Generating a certificate signed by an 
//*    Internal Certificate Authority   
//* 3. Generating a certificate signed by a 
//*    third-party certificate authority 
//* 
//* This job contains 3 job steps(ISKLMCS1, ISKLMCS2, ISKLMCS3) that 
//* correspond to each case. Please run the job step that corresponds 
//* to the desired Case. 
//*                      
//*=============================================================  
//* Case 1. Generating a self-signed certificate                                    
//*=============================================================   
//ISKLMCS1 EXEC PGM=IKJEFT01,REGION=0K    
//SYSPRINT DD SYSOUT=*                   
//SYSTSPRT DD SYSOUT=*                   
//SYSTSIN  DD *                          
*                                     
* Case 1. Generating a self-signed certificate    

* Create the ISKLM Keyring
*

TSS ADD(isklm_server_acid) Keyring(ISKLMRng) LABLRING(ISKLMSRV.RING)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
TSS ADD(owningacid) IBMFAC(IRR) 
TSS PER(isklm_server_acid) IBMFAC(IRR.DIGICERT) ACC(CONTROL) 
*
* Generate self-signed ISKLM server certificate
*
TSS GENCERT(CERTSITE) DIGICERT(ISKLMSRV) LABLCERT(ISKLMSRV.CERT) -
SUBJECTN('CN="ITOperations" OU="MyCo" C="US"') -
KEYSIZE(2048)

* Send this certificate to other business partners or sites 
* within your enterprise.

TSS EXPORT(CERTSITE) DIGICERT(ISKLMSRV) - 
DCDSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)

* Connect certificate to the Security Key Lifecycle Manager 
* for z/OS's keyring.

TSS ADD(isklm_server_acid) KEYRING(ISKLMRng) - 
KEYRING(CERTSITE,ISKLMSRV) USAGE(PERSONAL)

* Authorize ISKLM server to CSFKEY

TSS PER(isklm_server_acid) CSFKEYS(ITOPS.ISKLM.CERT) ACC(READ)
*   
//*                     
//*=============================================================    
//* Case 2: Generating a certificate signed by an 
//*         Internal Certificate Authority                             
//*=============================================================
//ISKLMCS2 EXEC PGM=IKJEFT01,REGION=0K                              
//SYSPRINT DD SYSOUT=*                                              
//SYSTSPRT DD SYSOUT=*                                              
//SYSTSIN  DD *                                                     
   
*                                     
* Case 2. Generating a certificate signed by an   
*         Internal Certificate Authority

* Create the ISKLM Keyring
*
TSS ADD(CERTAUTH) KEYRING(ISKLMRng) LABLRING(ISKLMSRV.RING)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
TSS ADD(owningacid) IBMFAC(IRR)
TSS PER(isklm_server_acid) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)
*
* Generate a self-signed certificate authority certificate.
*
TSS GENCERT(CERTAUTH) DIGICERT(LOCALCA) LABLCERT('LocalCA') -
SUBJECTN('CN="MyLocalzOSCA" OU="MyCo" C="US"') -
KEYSIZE(2048)
*
* Generate ISKLM server certificate signed with the local certificate 
* authority certificate
*
TSS GENCERT(CERTSITE) DIGICERT(ISKLMSRV) LABLCERT('ISKLMServer') -
SUBJECTN('CN="ITOperations" OU="MyCo" C="US"') -
KEYSIZE(2048) SIGNWITH(CERTAUTH,LOCALCA)
*
* Send this certificate to other business partners or sites 
* within your enterprise.
*
TSS EXPORT(CERTSITE) DIGICERT(ISKLMSRV) -
    DCDSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificates to the Security Key Lifecycle Manager 
* for z/OS's Keyring.
*
TSS ADD(ISKLMSRV) KEYRING(ISKLMRng) RINGDATA(CERTSITE,ISKLMSRV) USAGE(PERSONAL)
TSS ADD(ISKLMSRV) KEYRING(ISKLMRng) RINGDATA(CERTAUTH,LOCALCA) USAGE(CERTAUTH)
*

* Authorize ISKLM server to CSFKEY

*
TSS PER(ISLMSRV) CSFKEYS(ITOPS.ISKLM.CERT) ACC(READ)
*      
//*                     
//*=============================================================    
//* Case 3: Generating a certificate signed by a 
//*         third-party certificate authority                            
//*=============================================================
//ISKLMCS3 EXEC PGM=IKJEFT01,REGION=0K                              
//SYSPRINT DD SYSOUT=*                                              
//SYSTSPRT DD SYSOUT=*                                              
//SYSTSIN  DD *                                                     
*                                     
* Case 3. Generating a certificate signed by a   
*         third-party certificate authority

* Create the ISKLM Keyring
*
TSS ADD(isklm_server_acid) KEYRING(ISKLMRng) LABLRING(ISKLMSRV.RING)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
TSS PER(isklm_server_acid) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)
*
* Generate ISKLM server certificate
*
TSS GENCERT(CERTSITE) DIGICERT(ISKLMSRU) LABLCERT('Unsigned_ISKLMServer') -
SUBJECTN('CN="ITOperations" OU="MyCo" C="US"') -
KEYSIZE(2048) 
*
* Generate and save a certificate request to a dataset
*
TSS GENREQ(CERTSITE) DIGICERT(ISKLMSRV) DCDSN('hlq.PUBKEY.S2048.ITOPS')
*
* Submit certificate request, hlq.PUBKEY.S2048.ITOPS to your certificate
* provider. The response you receive is an X.509 certificate.
* Receive the response into dataset 'hlq.THIRD.PARTY.CERT'.
* INSERT/Add the certificate to Top Secret.
*
TSS ADD(CERTSITE) DIGICERT(ISKLMSRV)  DCDSN('hlq.THIRD.PARTY.CERT') -
    LABEL(ISKLMServer) TRUST
*
* Send this certificate to other business partners or sites 
* within your enterprise.
*
TSS EXPORT(CERTSITE) DIGICERET(ISKLMSRV) - 
    DCDSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificates to the Security Key Lifecycle Manager 
* for z/OS's keyring. Change the CERTDATA(CERTAUTH.external) and 
* LABEL(External CA label) to the appropriate values for 
* third-party certificate authority that your site used.
*
TSS ADD(isklm_server_acid) KEYRING(ISKLMRng) -
    RINGDATA(CERTSITE,ISKLMSRV) USAGE(PERSONAL)
TSS ADD(isklm_server_acid) KEYRING(ISKLMRng) -
    RINGDATA(CERTAUTH,external) USAGE(CERTAUTH)
*

* Authorize ISKLM server to CSFKEY

*
TSS PER(isklm_server_acid) CSFKEYS(ITOPS.ISKLM.CERT) ACC(READ)
*      
//*