How to add a client and root certificate to CA Top Secret and then to a keyring?

Products

Top Secret Top Secret - LDAP

Issue/Introduction

How to add a client certificate and root certificate pair to CA Top Secret Security file and then to a keyring?

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

Example:

The following datasets contain the certs:

ROOT.PUBLIC.CERTS.PEM (contains the root cert)

CLIENT.PUBLIC.CERTS.P12 (contains the client cert and password protected ‘mandolin’)

1. ADD CERTS THE SECURITY FILE.

TSS ADD(CERTAUTH) DIGICERT(ROOT1) DCDSN(ROOT.PUBLIC.CERTS.PEM) TRUST

TSS ADD(CERTSITE) DIGICERT(CLIENT1) DCDSN(CLIENT.PUBLIC.CERTS.P12) PKCSPASS(CLIENT1) TRUST

2. Create keyrings for users that dont already have the keyring:

TSS ADD(USERA) KEYRING(USERRING)

TSS ADD(USERB) KEYRING(USERRING)

TSS ADD(USERC) KEYRING(USERRING)

3. Connect root and personal certs to the keyring of the user:

TSS ADD(USERB) KEYRING(USERRING) RINGDATA(CERTSITE,CLIENT1) USAGE(PERSONAL) DEFAULT

TSS ADD(USERB) KEYRING(USERRING) RINGDATA(CERTAUTH,ROOT1) USAGE(CERTAUTH)

TSS ADD(USERA) KEYRING(USERRING) RINGDATA(CERTSITE,CLIENT1) USAGE(PERSONAL) DEFAULT

TSS ADD(USERA) KEYRING(USERRING) RINGDATA(CERTAUTH,ROOT1) USAGE(CERTAUTH)

TSS ADD(USERC) KEYRING(USERRING) RINGDATA(CERTSITE,CLIENT1) USAGE(PERSONAL) DEFAULT

TSS ADD(USERC) KEYRING(USERRING) RINGDATA(CERTAUTH,ROOT1) USAGE(CERTAUTH)

4. Authorize for digital certificates:

TSS PER(USERA) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)

TSS PER(USERB) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)

TSS PER(USERC) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)

Without this permission, users will not be authorized to use digital certificates.

5. Make sure when specifying the keyring name to the application it matches the keyring name exactly. The digicert name and keyring name is case sensitive.