Configuring SSL Support for Apache Web Server with ACF2

book

Article ID: 209889

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - MISC CA ACF2 - z/OS

Issue/Introduction

ACF2 certificate configuration commands for Apache Web Server SSL Support. 

Resolution

The following are the ACF2 commands to set up SSL for Apache Web Server.

Reference: Section 7.3 of the IBM Apache Redbook 

* Create a certificate to sign the server certificate
* RACF
* RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('IHS CertAuth') OU('IHS RedPaper')) ,
* WITHLABEL('IHS.Redpaper') TRUST SIZE(1024) NOTAFTER(DATE(2021/12/31))

GENCERT CERTAUTH.IHSROOT SUBJ(CN='IHS CertAuth' OU='IHS RedPaper') - 
LABEL(IHS.Redpaper) SIZE(1024) EXPIRE(12/31/2021)                                           

* Create a server side certificate
* RACF
* RACDCERT ID (IHSAESTC) GENCERT SUBJECTSDN(CN('wtsc55.itso.ibm.com') O('IBM')
* OU('IHS')), WITHLABEL('IHS'), SIGNWITH(CERTAUTH LABEL('IHS.Redpaper')) ,
* SIZE(1024), NOTAFTER(DATE(2021/12/31))

GENCERT IHSAESTC.CERT SUBJ(CN='wtsc55.itso.ibm.com' OU='IHS' O='IBM') - 
LABEL(IHS) SIGNWITH(CERTAUTH LABEL(IHS.Redpaper)) -
SIZE(1024) EXPIRE(12/31/2021) 

* Create a key ring for the userid the server runs under
* RACF
* RACDCERT ADDRING(IHSKeyring.ITSO) ID(IHSAESTC)

SET P(USER) DIV(KEYRING)
INSERT IHSAESTC.RING RINGNAME(IHSKeyring.ITSO)

* Connect server certificate to user keyring
* RACF
* RACDCERT ID(IHSAESTC) CONNECT (LABEL('IHS') RING(IHSKeyring.ITSO) DEFAULT)

CONNECT CERTDATA(IHSAESTC.CERT) KEYRING(IHSAESTC.RING) -
USAGE(PERSONAL) DEFAULT

* Connect signer certificate to user keyring 
* RACF
* RACDCERT ID(IHSAESTC CONNECT (RING(IHSKeyring.ITSO) LABEL('IHS.Redpaper')
* CERTAUTH)
* SETROPTS RACLIST(DIGTCERT) REFRESH

CONNECT CERTDATA(CERTAUTH.IHSROOT) KEYRING(IHSAESTC.RING) -
USAGE(CERTAUTH)
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)

* Give the User ID that the IHS server runs under
* access to the certificates 
* RACF
* permit IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IHSAESTC) ACCESS(READ)
* SETROPTS RACLIST(facility) REFRESH

SET R(FAC)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID for IHSAESTC logonid) -
SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)

* Note: The above resource rule gives the logonid for the started task
* access to global keyring profile checking. To only give the logonid
* access to the specific IHSKeyring.ITSO keyring, the following 
* resource rule for the RDATALIB resource class will need to be coded.
*
* SET R(RDA)
* RECKEY IHSAESTC ADD( IHSKeyring.ITSO.LST UID(UID for IHSAESTC logonid) -
* SERVICE(READ) ALLOW)
* F ACF2,REBUILD(RDA)

Additional Information

For more information on digital certificate commands in ACF2, see the Digital Certificate Support section in the ACF2 documentation.
For more information on certificate configuration for SSL/TLS applications in ACF2, see the Configure Key Rings and Certificates for SSL/TLS Applications section in the ACF2 documentation.