Top Secret commands to set up Certificates for IntelliMagic

book

Article ID: 194485

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP CA Web Administrator for Top Secret

Issue/Introduction

  Translation of RACF Digital Certificate commands for IntelliMagic to Top Secret.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

/* Allow certificate processing for user
//*
//TSO EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(<USER-ID>) ACCESS(READ)
PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(<USER-ID>) ACCESS(READ)
PERMIT IRR.DIGTCERT.ALTER CLASS(FACILITY) ID(<USER-ID>) ACCESS(READ)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(<USER-ID>) ACCESS(UPDATE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(<USER-ID>) ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(<USER-ID>) ACCESS(READ)

TSS ADD(dept acid) IBMFAC(IRR.)   ==> This is probably already done.
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.ADD) ACCESS(READ)
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.ADDRING) ACCESS(READ)
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.ALTER) ACCESS(READ)
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.CONNECT) ACCESS(UPDATE)
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(UPDATE) ===>
Read does not always work and sometimes Control is needed.
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE) ===> Read does not always work and sometimes Control is needed. 

SETROPTS REFRESH RACLIST(FACILITY) GENERIC(FACILITY)
**There is no TSS equivalent or necessary command for SETROPTS. 

/*
//

Note: Verify with your SAF (i.e. RACF) administrator if the FACILITY class is being RACLISTed.

Step 5: You can use the following sample JCL if the IRR.DIGTCERT class is not yet defined in your system.

//*
//* Define IRR FACILITY class
//*
//TSO EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE FACILITY IRR.DIGTCERT.ADD UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.ADDRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.ALTER UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.CONNECT UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)

SETROPTS REFRESH RACLIST(FACILITY) GENERIC(FACILITY)
**Already done above**

/*
//

Step 6: Create a key ring for the IntelliMagic certificate.

//*
//* Create Key ring
//*
//TSO EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ID(<USER-ID>) ADDRING(IMCERT)

TSS ADD(acid) KEYRING(IMCERT) 
/*
//

Step 7: Add IntelliMagic certificate and associate it with a specific user.

//*
//* Add IM certificate to RACF
//*
//TSO EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ID(<USER-ID>) ADD(‘SHARE21.IM.CERT’) +
WITHLABEL(‘IntelliMagic Certificate’) +
TRUST
SETROPTS REFRESH RACLIST(DIGTCERT)

TSS ADD(acid/certsite) DIGICERT(digicert) LABLCERT('IntelliMagic Certificate') DCDSN(dataset where certificate resides) TRUST ==> If the certificate has a private key then own it by CERTSITE so the private key can be shared.
/*
//

Step 8: Connect the certificate to the IntelliMagic keyring.

//*
//* Connect certificate to keyring
//*
//TSO EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ID(<USER-ID>) CONNECT(LABEL(‘IntelliMagic Certificate’) +
RING(IMCERT) USAGE(CERTAUTH))
SETROPTS REFRESH RACLIST(DIGTCERT)


TSS ADD(acid/certsite) KEYRING(IMCERT) RINGDATA(acid/cetsite,digicert) USAGE(CERTAUTH)  ===> The digicert in the RINGDATA parameter is the common name given to the certificate in step 7.
/*
//

Step 9: Optional, you may need to allow the specific user to be able to use ICSF services.

//*
//* Allow user to CSFIQA
//*
//TSO EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
PERMIT CSFIQA CLASS(CSFSERV) ID(<USER-ID>) ACCESS(READ)
SETROPTS REFRESH RACLIST(CSFSERV)

TSS ADD(dept) CSFSERV(CSFIQA)  ===> Probably already done.
TSS PERMIT(acid) CSFSERV(CSFIQA) ACCESS(READ)

/*
//

Step 10: Add the GoDaddy root certificate.

//*
//* Add root certificate to RACF
//*
//TSO EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT CERTAUTH +
ADD(‘SHARE21.IM.CERT.GODADDY’) +
WITHLABEL(‘IntelliMagic Root Certificate’) +
HIGHTRUST
SETROPTS REFRESH RACLIST(DIGTCERT)

TSS ADD(CERTAUTH) DIGICERT(digicert) LABLCERT('IntelliMagic Root Certificate') DCDSN(dataset where certificate resides) TRUST


/*
//

Step 11: Connect the GoDaddy root certificate to the same key ring.

//*
//* Connect root certificate to keyring
//*
//TSO EXEC PGM=IKJEFT1A
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ID(<USER-ID>) CONNECT( +
CERTAUTH +
LABEL(‘IntelliMagic Root Certificate’) +
RING(IMCERT) USAGE(CERTAUTH))
SETROPTS REFRESH RACLIST(DIGTCERT)

TSS ADD(acid) KEYRING(IMCERT) RINGDATA(CERTAUTH,digicert) USAGE(CERTAUTH) ===>  The digicert in the RINGDATA parameter is the common name given to the certificate in step 7.  
/*