ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

We are implementing IBM ISKLM and will need to generate certificates, keyrings, and so forth. How is this done with ACF2?

book

Article ID: 18828

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Description:

For IBM Security Key Lifecycle Manager for z/OS (ISKLM) Keyring/Certificates, there are three options for Keyring/Certificate setup::

  1. Generating a self-signed certificate
  2. Generating a certificate signed by an Internal Certificate Authority
  3. Generating a certificate signed by a third-party certificate authority

Solution:

The following batch job that covers the three options for setting up Keyrings and certificates for IBM Security Key Lifecycle Manager for z/OS (ISKLM). There are three jobs steps for each option, sites can just run the job step that covers the option desired.

//ACFISKLM JOB   
//*=============================================================      
//* NOTES:                                                            
//* ------                                                            
//* 1) Please read through the comments carefully before              
//*    running this job to determine what commands will be            
//*    needed to setup your own customized environment. 
//*    All occurrences of 'UID string for ISKLMSRV logonid'
//*    should be changed to the UID string for logonid ISKLMSRV.             
//*                                                                   
//* 2) All steps have been coded with PGM=IKJEFT01.  
//*                                                                   
//* 3) All steps should finish with a return code of zero.            
//*                                                                   
//* 4) Please review the results of this job carefully.               
//*                                                                   
//* This batch job is provided for your convenience. A complete       
//* write-up on setting up Keyrings and certificated in an CA-ACF2  
//* secured environment can be found in the eTrust CA-ACF2            
//* Security for z/OS Administrators Guide.     
//* 
//* For Security Key Lifecycle Manager for z/OS(ISKLM) 
//* Keyring/Certificates IBM documentation list three options:                                 
//*  
//* 1. Generating a self-signed certificate                                   
//* 2. Generating a certificate signed by an 
//*    Internal Certificate Authority   
//* 3. Generating a certificate signed by a 
//*    third-party certificate authority 
//* 
//* This job contains 3 job steps(ISKLMCS1, ISKLMCS2, ISKLMCS3) that 
//* correspond to each case. Please run the job step that corresponds 
//* to the desired Case. 
//*                      
//*=============================================================  
//* Case 1. Generating a self-signed certificate                                    
//*=============================================================   
//ISKLMCS1 EXEC PGM=IKJEFT01,REGION=0K    
//SYSPRINT DD SYSOUT=*                   
//SYSTSPRT DD SYSOUT=*                   
//SYSTSIN  DD *                          
 ACF 
*                                     
* Case 1. Generating a self-signed certificate    
* 
* Create the ISKLM Keyring
*
SET PROFILE(USER) DIV(KEYRING)     
INSERT ISKLMSRV.RING RINGNAME(ISKLMRing)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LIST UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)    
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)  
*
* Generate self-signed ISKLM server certificate
*
GENCERT ISKLMSRV.CERT SUBJ(CN='ITOperations' OU='MyCo' C=US) -
LABEL(ISKLMServer) SIZE(2048)
* 
* Send this certificate to other business partners or sites 
* within your enterprise.
* 
SET PROFILE(USER) DIV(CERTDATA)
EXPORT ISKLMSRV.CERT DSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
* 
* Connect certificate to the Security Key Lifecycle Manager 
* for z/OS's keyring.
* 
SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(ISKLMSRV.CERT) KEYRING(ISKLMSRV.RING) USAGE(PERSONAL)
* 
* Note TYPE(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS
* 
SET RESOURCE(SAF)
RECKEY ITOPS ADD( ISKLM.CERT UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW) 
*
* Issue Rebuilds.
* Note REBUILD(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS and update the REBUILD(xxx) accordingly.
*
F ACF2,REBUILD(SAF)F ACF2,REBUILD(GRP),CLASS(P)       
F ACF2,REBUILD(USR),CLASS(P)       
F ACF2,OMVS      
//*                     
//*=============================================================    
//* Case 2: Generating a certificate signed by an 
//*         Internal Certificate Authority                             
//*=============================================================
//ISKLMCS2 EXEC PGM=IKJEFT01,REGION=0K                              
//SYSPRINT DD SYSOUT=*                                              
//SYSTSPRT DD SYSOUT=*                                              
//SYSTSIN  DD *                                                     
ACF     
*                                     
* Case 2. Generating a certificate signed by an   
*         Internal Certificate Authority
* 
* Create the ISKLM Keyring
*
SET PROFILE(USER) DIV(KEYRING)     
INSERT ISKLMSRV.RING RINGNAME(ISKLMRing)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LIST UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)    
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)
*
* Generate a self-signed certificate authority certificate.
*
GENCERT CERTAUTH.LOCALCA SUBJ(CN='MyLocalzOSCA' -
O='MyCo' C=US)  LABEL(LocalACF CA) SIZE(2048)
*
* Generate ISKLM server certificate signed with the local certificate 
* authority certificate
*
GENCERT ISKLMSRV.CERT SUBJ(CN='ITOperations' OU='MyCo' C=US) -
LABEL(ISKLMServer) SIZE(2048) SIGNWITH(certauth Label(LocalACF CA))
*
* Send this certificate to other business partners or sites 
* within your enterprise.
*
SET PROFILE(USER) DIV(CERTDATA)
EXPORT ISKLMSRV.CERT DSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificates to the Security Key Lifecycle Manager 
* for z/OS's Keyring.
*
SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(ISKLMSRV.CERT) KEYRING(ISKLMSRV.RING) USAGE(PERSONAL)
CONNECT CERTDATA(CERTAUTH.LOCALCA) KEYRING(ISKLMSRV.RING) USAGE(CERTAUTH) 
*
* Note TYPE(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS
*
SET RESOURCE(SAF)
RECKEY ITOPS ADD( ISKLM.CERT UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)
*
* Issue Rebuilds.
* Note REBUILD(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS and update the REBUILD(xxx) accordingly.
*
F ACF2,REBUILD(SAF)
F ACF2,REBUILD(GRP),CLASS(P)       
F ACF2,REBUILD(USR),CLASS(P)       
F ACF2,OMVS          
//*                     
//*=============================================================    
//* Case 3: Generating a certificate signed by a 
//*         third-party certificate authority                            
//*=============================================================
//ISKLMCS3 EXEC PGM=IKJEFT01,REGION=0K                              
//SYSPRINT DD SYSOUT=*                                              
//SYSTSPRT DD SYSOUT=*                                              
//SYSTSIN  DD *                                                     
ACF     
*                                     
* Case 3. Generating a certificate signed by a   
*         third-party certificate authority
* 
* Create the ISKLM Keyring
*
SET PROFILE(USER) DIV(KEYRING)     
INSERT ISKLMSRV.RING RINGNAME(ISKLMRing)
*
* Create a FACILITY class resource rule to allow the 
* ISKLM server to read from its Keyring.
*
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LIST UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)    
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW)
*
* Generate ISKLM server certificate
*
GENCERT ISKLMSRV.CERT SUBJ(CN='ITOperations' OU='MyCo' C=US) -
LABEL(ISKLMServer) SIZE(2048)
*
* Generate and save a certificate request to a dataset
*
GENREQ ISKLMSRV.CERT DSN('hlq.PUBKEY.S2048.ITOPS')
*
* Submit certificate request, hlq.PUBKEY.S2048.ITOPS to your certificate
* provider. The response you receive is an X.509 certificate.
* Receive the response into dataset 'hlq.THIRD.PARTY.CERT'.
* INSERT/Add the certificate to ACF2.
*
SET PROFILE(USER) DIV(CERTDATA)  
INSERT ISKLMSRV.CERT DSN('hlq.THIRD.PARTY.CERT') LABEL(ISKLMServer) 
*
* Send this certificate to other business partners or sites 
* within your enterprise.
*
SET PROFILE(USER) DIV(CERTDATA)
EXPORT ISKLMSRV.CERT DSN('hlq.PUBKEY.S2048.ITOPS') FORMAT(CERTDER)
*
* Connect certificates to the Security Key Lifecycle Manager 
* for z/OS's keyring. Change the CERTDATA(CERTAUTH.external) and 
* LABEL(External CA label) to the appropriate values for 
* third-party certificate authority that your site used.
*
SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(ISKLMSRV.CERT) KEYRING(ISKLMSRV.RING) 
CONNECT CERTDATA(CERTAUTH.external) LABEL(External CA label) KEYRING(ISKLMSRV.RING) 
*
* Note TYPE(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS
*
SET RESOURCE(SAF)
RECKEY ITOPS ADD( ISKLM.CERT UID(UID string for ISKLMSRV logonid) - 
SERVICE(READ) ALLOW) 
*
* Issue Rebuilds.
* Note REBUILD(SAF) is the default for resource CSFKEYS, Use TSO, ACF
* SHOW CLASMAP command to verify the TYPE code that your site uses
* for resource class CSFKEYS and update the REBUILD(xxx) accordingly.
*
F ACF2,REBUILD(SAF)
F ACF2,REBUILD(GRP),CLASS(P)       
F ACF2,REBUILD(USR),CLASS(P)       
F ACF2,OMVS         
//* 


Environment

Release: ACF2..001AO-15-ACF2
Component:

Resolution

Please Update This Required Field