Convert RACF commands to Top Secret to setup the IBM IKED started task

book

Article ID: 223241

calendar_today

Updated On:

Products

CA Top Secret

Issue/Introduction

Need to convert the following RACF commands to TSS commands:

 

Step 1: Create a RACF® key ring for the user ID under which the IKED is to run
Digital certificates are made available to the IKE daemon by connecting them to a key ring that is owned by the IKE daemon. To create a key ring for the IKE daemon, issue the following TSO command:
RACDCERT ID(IKED) ADDRING(IKEDKEY)


The value used for IKEDKEY is case sensitive.
Step 2: Install an X509 digital certificate to be used by the native certificate service
The procedure for installing a digital certificate on a SAF key ring for the native certificate service to use is similar to the procedure for installing a digital certificate on a SAF key ring for the NSS certificate service to use. For details, see IPSec certificate management.
Steps for generating a self-signed X509 digital certificate
The IKE daemon and NSS server require the ability to retrieve digital certificates associated with a particular identity from a RACF® key ring, and to perform operations with the associated private key.
Before you begin
The certificate that is assigned to the secure server is a locally-signed certificate rather than one signed by a certificate authority. Assume that the local certificate authority has the distinguished name of OU='Local Certificate Authority',O=IBM,C=US.
Requirement: If you are creating a certificate for a stack configured to use the certificate service from an NSS server, issue these commands against the RACF database for the system on which the NSS server runs. The user ID in the examples must be the user ID running the NSS server and the key ring must be the key ring configured in the NSS server's configuration file.
Procedure
Perform the following steps to implement a locally signed server certificate:
1.       Generate a self-signed certificate to represent the local certificate authority:
RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU('IKED Local Certificate Authority') O('BROADCOM') C('US'))
KEYUSAGE(CERTSIGN) WITHLABEL(‘BROADCOM-IKED')


This certificate is used as the certificate authority certificate.
2.       Export the certificate to a data set (in this case, USER1.LOCCERTA.CERT):
RACDCERT CERTAUTH EXPORT(LABEL('BROADCOM-IKED')) DSN('LANRO03.BROADCOM.IKED.CERT') 

                
3.       Create a certificate for the server that is signed with the certificate authority certificate that was created in step 1:
RACDCERT ID(IKED) GENCERT SUBJECTSDN(CN('MVSXE23 STACK1') OU('Inventory') O('BROADCOM') C('US'))
WITHLABEL('MVSXE23 STACK1') ALTNAME(DOMAIN('broadcom.com'))
SIGNWITH(CERTAUTH LABEL('BROADCOM-IKED'))


4.       Connect the certificate to an existing key ring:
RACDCERT ID(IKED) CONNECT(LABEL('MVSXE23 STACK1') RING(IKEDKEY) USAGE(PERSONAL))

 

5.       Connect the local certificate authority certificate to the key ring:
RACDCERT ID(IKED) CONNECT(CERTAUTH LABEL('BROADCOM-IKED') RING(IKEDKEY) USAGE(CERTAUTH))

This completes the certificate hierarchy from root to SYSTEMA STACK1.
6.       Add the following statement to the IKE daemon configuration file, iked.conf, or the NSS server configuration file, nssd.conf:
Keyring   IKED/ikeyring
Results
You know you are done when the X509 digital certificate is available, and is mapped to the X500DN identity CN=SYSTEMA STACK1,OU=Inventory,O=IBM,C=US from the certificate's subject name, and the FQDN identity ibm.com from the certificate's alternate subject name.
You can verify that the certificates that you have created are connected to the key ring associated with user ID IKED by using the RACDCERT command and examining the output of the Ring Associations field. Verify that the certificate authority was created and added to the IKED/ikeyring as follows:
RACDCERT CERTAUTH LIST(LABEL('IBM Local Certificate Authority'))


Verify that the personal certificate for the IKE daemon was created and added to the IKED/ikeyring as follows:

Environment

Release : 16.0

Component :

Resolution

Step 1: Create a RACF® key ring for the user ID under which the IKED is to run

Digital certificates are made available to the IKE daemon by connecting them to a key ring that is owned by the IKE daemon. To create a key ring for the IKE daemon, issue the following TSO command:

RACDCERT ID(IKED) ADDRING(IKEDKEY) TSS ADD(IKED) KEYRING(IKEDKEY)

The value used for IKEDKEY is case sensitive.

Step 2: Install an X509 digital certificate to be used by the native certificate service

The procedure for installing a digital certificate on a SAF key ring for the native certificate service to use is similar to the procedure for installing a digital certificate on a SAF key ring for the NSS certificate service to use. For details, see IPSec certificate management.

Steps for generating a self-signed X509 digital certificate

The IKE daemon and NSS server require the ability to retrieve digital certificates associated with a particular identity from a RACF® key ring, and to perform operations with the associated private key.

Before you begin

The certificate that is assigned to the secure server is a locally-signed certificate rather than one signed by a certificate authority. Assume that the local certificate authority has the distinguished name of OU='Local Certificate Authority',O=IBM,C=US.

Requirement: If you are creating a certificate for a stack configured to use the certificate service from an NSS server, issue these commands against the RACF database for the system on which the NSS server runs. The user ID in the examples must be the user ID running the NSS server and the key ring must be the key ring configured in the NSS server's configuration file.

Procedure

Perform the following steps to implement a locally signed server certificate:

  1. Generate a self-signed certificate to represent the local certificate authority:

TSS GENCERT(CERTAUTH) DIGICERT(IKEDCA) LABLCERT(‘BROADCOM-IKED’)                    SUBJECTN(‘OU=”IKED Local Certificate Authority” O=”BROADCOM” C=”US”’)                    KEYUSAGE(CERTSIGN)

This certificate is used as the certificate authority certificate.

  1. Export the certificate to a data set (in this case, USER1.LOCCERTA.CERT):

            TSS EXPORT(CERTAUTH) DIGICERT(IKEDCA) DCDSN('LANRO03.BROADCOM.IKED.CERT')

               

  1. Create a certificate for the server that is signed with the certificate authority certificate that was created in step 1:

TSS GENCERT(CERTSITE) DIGICERT(XE23STCK)  SUBJECTN(‘CN=”MVSXE23 STACK1” OU=”Inventory” O=”BROADCOM” C=”US”’)  LABLCERT('MVSXE23 STACK1') ALTNAME(‘DOMAIN=broadcom.com')  SIGNWITH(CERTAUTH,IKEDCA)

  1. Connect the certificate to an existing key ring:

TSS ADD(IKED) KEYRING(IKEDKEY) TSS ADD(IKED) KEYRING(IKEDKEY) RINGDATA(CERTSITE,XE23STCK)USAGE(PERSONAL) 

  1. Connect the local certificate authority certificate to the key ring:

TSS ADD(IKED) KEYRING(IKEDKEY) RINGDATA(CERTAUTH,IKEDCA)USAGE(CERTAUTH) 

This completes the certificate hierarchy from root to SYSTEMA STACK1.

  1. Add the following statement to the IKE daemon configuration file, iked.conf, or the NSS server configuration file, nssd.conf:

Keyring   IKED/ikeyring

Results

You know you are done when the X509 digital certificate is available, and is mapped to the X500DN identity CN=SYSTEMA STACK1,OU=Inventory,O=IBM,C=US from the certificate's subject name, and the FQDN identity ibm.com from the certificate's alternate subject name.

You can verify that the certificates that you have created are connected to the key ring associated with user ID IKED by using the RACDCERT command and examining the output of the Ring Associations field. Verify that the certificate authority was created and added to the IKED/ikeyring as follows:

TSS LIST(IKED) SEGMENT(RINGDATA)TSS LIST(CERTAUTH or CERTSITE) DIGICERT(8-character-digicertname)

Verify that the personal certificate for the IKE daemon was created and added to the IKED/ikeyring as follows: