Description:

For IBM Security Key Lifecycle Manager for z/OS (ISKLM) Keyring/Certificates, there are three options for Keyring/Certificate setup::

1. Generating a self-signed certificate
2. Generating a certificate signed by an Internal Certificate Authority
3. Generating a certificate signed by a third-party certificate authority

Solution:

The following batch job that covers the three options for setting up Keyrings and certificates for IBM Security Key Lifecycle Manager for z/OS (ISKLM). There are three jobs steps for each option, sites can just run the job step that covers the option desired.

//ACFISKLM JOB   
//*=============================================================      
//* NOTES:                                                            
//* ------                                                            
//* 1) Please read through the comments carefully before              
//*    running this job to determine what commands will be            
//*    needed to setup your own customized environment. 
//*    All occurrences of 'UID string for ISKLMSRV logonid'
//*    should be changed to the UID string for logonid ISKLMSRV.             
//*                                                                   
//* 2) All steps have been coded with PGM=IKJEFT01.  
//*                                                                   
//* 3) All steps should finish with a return code of zero.            
//*                                                                   
//* 4) Please review the results of this job carefully.               
//*                                                                   
//* This batch job is provided for your convenience. A complete       
//* write-up on setting up Keyrings and certificated in an CA-ACF2  
//* secured environment can be found in the eTrust CA-ACF2            
//* Security for z/OS Administrators Guide.     
//* 
//* For Security Key Lifecycle Manager for z/OS(ISKLM) 
//* Keyring/Certificates IBM documentation list three options:                                 
//*  
//* 1. Generating a self-signed certificate                                   
//* 2. Generating a certificate signed by an 
//*    Internal Certificate Authority   
//* 3. Generating a certificate signed by a 
//*    third-party certificate authority 
//* 
//* This job contains 3 job steps(ISKLMCS1, ISKLMCS2, ISKLMCS3) that 
//* correspond to each case. Please run the job step that corresponds 
//* to the desired Case. 
//*                      
//*=============================================================  
//* Case 1. Generating a self-signed certificate                                    
//*=============================================================   
//ISKLMCS1 EXEC PGM=IKJEFT01,REGION=0K    
//SYSPRINT DD SYSOUT=*                   
//SYSTSPRT DD SYSOUT=*                   
//SYSTSIN  DD *                          
 ACF 
*                                     
* Case 1. Generating a self-signed certificate    
* 
* Create the ISKLM Keyring
*
SET PROFILE(USER) DIV(KEYRING)     
INSERT ISKLMSRV.RING RINGNAME(ISKLMRing)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LIST UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)    
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)  
*
* Generate self-signed ISKLM server certificate
*
GENCERT ISKLMSRV.CERT SUBJ(CN='ITOperations' OU='MyCo' C=US) -
LABEL(ISKLMServer) SIZE(2048)
* 
* Send this certificate to other business partners or sites 
* within your enterprise.
* 
SET PROFILE(USER) DIV(CERTDATA)
EXPORT ISKLMSRV.CERT DSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
* 
* Connect certificate to the Security Key Lifecycle Manager 
* for z/OS's keyring.
* 
SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(ISKLMSRV.CERT) KEYRING(ISKLMSRV.RING) USAGE(PERSONAL)
* 
* Note TYPE(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS
* 
SET RESOURCE(SAF)
RECKEY ITOPS ADD( ISKLM.CERT UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW) 
*
* Issue Rebuilds.
* Note REBUILD(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS and update the REBUILD(xxx) accordingly.
*
F ACF2,REBUILD(SAF)F ACF2,REBUILD(GRP),CLASS(P)       
F ACF2,REBUILD(USR),CLASS(P)       
F ACF2,OMVS      
//*                     
//*=============================================================    
//* Case 2: Generating a certificate signed by an 
//*         Internal Certificate Authority                             
//*=============================================================
//ISKLMCS2 EXEC PGM=IKJEFT01,REGION=0K                              
//SYSPRINT DD SYSOUT=*                                              
//SYSTSPRT DD SYSOUT=*                                              
//SYSTSIN  DD *                                                     
ACF     
*                                     
* Case 2. Generating a certificate signed by an   
*         Internal Certificate Authority
* 
* Create the ISKLM Keyring
*
SET PROFILE(USER) DIV(KEYRING)     
INSERT ISKLMSRV.RING RINGNAME(ISKLMRing)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LIST UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)    
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)
*
* Generate a self-signed certificate authority certificate.
*
GENCERT CERTAUTH.LOCALCA SUBJ(CN='MyLocalzOSCA' -
O='MyCo' C=US)  LABEL(LocalACF CA) SIZE(2048)
*
* Generate ISKLM server certificate signed with the local certificate 
* authority certificate
*
GENCERT ISKLMSRV.CERT SUBJ(CN='ITOperations' OU='MyCo' C=US) -
LABEL(ISKLMServer) SIZE(2048) SIGNWITH(certauth Label(LocalACF CA))
*
* Send this certificate to other business partners or sites 
* within your enterprise.
*
SET PROFILE(USER) DIV(CERTDATA)
EXPORT ISKLMSRV.CERT DSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificates to the Security Key Lifecycle Manager 
* for z/OS's Keyring.
*
SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(ISKLMSRV.CERT) KEYRING(ISKLMSRV.RING) USAGE(PERSONAL)
CONNECT CERTDATA(CERTAUTH.LOCALCA) KEYRING(ISKLMSRV.RING) USAGE(CERTAUTH) 
*
* Note TYPE(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS
*
SET RESOURCE(SAF)
RECKEY ITOPS ADD( ISKLM.CERT UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)
*
* Issue Rebuilds.
* Note REBUILD(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS and update the REBUILD(xxx) accordingly.
*
F ACF2,REBUILD(SAF)
F ACF2,REBUILD(GRP),CLASS(P)       
F ACF2,REBUILD(USR),CLASS(P)       
F ACF2,OMVS          
//*                     
//*=============================================================    
//* Case 3: Generating a certificate signed by a 
//*         third-party certificate authority                            
//*=============================================================
//ISKLMCS3 EXEC PGM=IKJEFT01,REGION=0K                              
//SYSPRINT DD SYSOUT=*                                              
//SYSTSPRT DD SYSOUT=*                                              
//SYSTSIN  DD *                                                     
ACF     
*                                     
* Case 3. Generating a certificate signed by a   
*         third-party certificate authority
* 
* Create the ISKLM Keyring
*
SET PROFILE(USER) DIV(KEYRING)     
INSERT ISKLMSRV.RING RINGNAME(ISKLMRing)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LIST UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)    
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)
*
* Generate ISKLM server certificate
*
GENCERT ISKLMSRV.CERT SUBJ(CN='ITOperations' OU='MyCo' C=US) -
LABEL(ISKLMServer) SIZE(2048)
*
* Generate and save a certificate request to a dataset
*
GENREQ ISKLMSRV.CERT DSN('hlq.PUBKEY.S2048.ITOPS')
*
* Submit certificate request, hlq.PUBKEY.S2048.ITOPS to your certificate
* provider. The response you receive is an X.509 certificate.
* Receive the response into dataset 'hlq.THIRD.PARTY.CERT'.
* INSERT/Add the certificate to ACF2.
*
SET PROFILE(USER) DIV(CERTDATA)  
INSERT ISKLMSRV.CERT DSN('hlq.THIRD.PARTY.CERT') LABEL(ISKLMServer) 
*
* Send this certificate to other business partners or sites 
* within your enterprise.
*
SET PROFILE(USER) DIV(CERTDATA)
EXPORT ISKLMSRV.CERT DSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificates to the Security Key Lifecycle Manager 
* for z/OS's keyring. Change the CERTDATA(CERTAUTH.external) and 
* LABEL(External CA label) to the appropriate values for 
* third-party certificate authority that your site used.
*
SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(ISKLMSRV.CERT) KEYRING(ISKLMSRV.RING) 
CONNECT CERTDATA(CERTAUTH.external) LABEL(External CA label) KEYRING(ISKLMSRV.RING) 
*
* Note TYPE(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS
*
SET RESOURCE(SAF)
RECKEY ITOPS ADD( ISKLM.CERT UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW) 
*
* Issue Rebuilds.
* Note REBUILD(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS and update the REBUILD(xxx) accordingly.
*
F ACF2,REBUILD(SAF)
F ACF2,REBUILD(GRP),CLASS(P)       
F ACF2,REBUILD(USR),CLASS(P)       
F ACF2,OMVS         
//*