What is the CA ACF2 setup for SMP/E for z/OS Internet Service Retrieval Setup?
Article ID: 22365
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
PanApt
PanAudit
Issue/Introduction
What is the CA ACF2 setup for SMP/E for z/OS Internet Service Retrieval Setup?
Environment
Release:
Component: ACF2MS
Component: ACF2MS
Resolution
A user digital certificate is needed by the SMP/E RECEIVE ORDER command to identify uniquely a user to the IBM Automated Service Delivery server.
Prior to setting up the required digital certificates as described in this document, a site needs to obtain the User Certificate and the Certificate Authority Certificate as described in the IBM SMP/E for z/OS User's Guide in the chapter on Preparing to Use Internet Service Retrieval. Be sure to upload the certificates in BINary format with RECFM=VB.
A site can establish certificates for each user or share a user certificate among multiple userids. To share a user certificate among multiple users follow the steps under SMP/E Internet Service Retrieval Shared Certificates. To establish certificates for each user follow the steps under SMP/E Internet Service Retrieval Non-Shared Certificates.
SMP/E Internet Service Retrieval Shared Certificates
This examples assumes two userids, user1 and user2 will share a single user certificate.
1. Create an ACF2 keyring for user1 to be shared with user2 or other users.
SET PROFILE(USER) DIV(KEYRING)PROFILEINSERT user1.ring -
RINGNAME(smpe_user_keyring)
Note: The above ringname must match (case as well) the keyring name specified in step
2. Add the user certificate to the ACF2 data base.
SET PROFILE(USER) DIV(CERTDATA)
INSERT user1.cert DSN('mvs.dataset.name') LABEL(cert label) -
PASSWORD(ppppppp) TRUST
3. Alter the user certificate to mark it trusted.
SET PROFILE(USER) DIV(CERTDATA)
CHANGE user1.cert TRUST
4. Connect the user certificate to your keyring.
SET PROFILE(USER) DIV(KEYRING)PROFILE
CONNECT CERTDATA(user1.cert) KEYRING(user1.ring) USAGE(CERTAUTH)
The CERTDATA specified above should match the user certificate specified on the
ACF2 insert command in step 2.
The KEYRING specified above should match the keyring specified on the ACF2 insert
command in step 1.
5. Add the GeoTrust CA certificate to the ACF2 data base. This is the Certificate Authority Certificate as
mentioned above.
SET PROFILE(USER) DIV(CERTDATA)
INSERT certauth.geotrust DSN('mvs.dataset.name2') -
LABEL(certauth.geotrust) TRUST
6. Connect the GeoTrust CA certificate to your keyring.
SET PROFILE(USER) DIV(KEYRING)PROFILE
CONNECT CERTDATA(certauth.geotrust) KEYRING(user1.ring)
The CERTDATA specified above should match the CA certificate specified on the
ACF2 insert command in step 5. If a naming convention other than "certauth." Is
used, then add the parm USAGE(CERTAUTH) to the above CONNECT command.
The KEYRING specified above should match the keyring specified on the ACF2
insert command in step 1.
7. Give USER2 permission to read other users' keyrings and certificates as shown in this example:
$KEY(IRR) TYPE(FAC)
DIGTCERT.LIST UID(user2 UID string) SERVICE(READ)ALLOW
DIGTCERT.LISTRING UID(user2 UID string) SERVICE(UPDATE) ALLOW
The UID string coded in the above rules can be coded to allow the desired users that
are to share the certificate.
8. Ensure that SMP/E finds the certificate in the correct keyring when executing the RECEIVE ORDER
command. To do this, USER2 must specify not only the keyring name, but also the userid associated
with the keyring, USER1, on the keyring attribute in the ORDERSERVER data set as follows:
keyring="smpe_user_keyring"
certificate="cert label"
Note: The above ringname must match (case as well) the keyring name specified in the ACF2 INSERT
command from step 1.
9. Before attempting to use the defined KEYRING and CERTDATA records, you will need to issue these
operator commands to activate them:
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)
F ACF2,REBUILD(FAC)
SMP/E Internet Service Retrieval Non-Shared Certificates
1. Create an ACF2 keyring for user1.
SET PROFILE(USER) DIV(KEYRING)PROFILE
INSERT user1.ring RINGNAME(smpe_user_keyring)
2. Add the user certificate to the ACF2 data base.
SET PROFILE(USER) DIV(CERTDATA)
INSERT user1.cert DSN('mvs.dataset.name') LABEL(cert label) -
PASSWORD(ppppppp) TRUST
3. Alter the user certificate to mark it trusted.
SET PROFILE(USER) DIV(CERTDATA)
CHANGE user1.cert TRUST
4. Connect the user certificate to your keyring.
SET PROFILE(USER) DIV(KEYRING)PROFILE
CONNECT CERTDATA(user1.cert) KEYRING(user1.ring)
The CERTDATA specified above should match the user certificate specified on the
ACF2 insert command in step 2.
The KEYRING specified above should match the keyring specified on the ACF2
insert command in step 1.
5. Add the GeoTrust CA certificate to the ACF2 data base. This is the Certificate Authority Certificate as
mentioned above.
SET PROFILE(USER) DIV(CERTDATA)
INSERT certauth.geotrust DSN('mvs.dataset.name2') -
LABEL(certauth.geotrust) TRUST
6. Connect the GeoTrust CA certificate to your keyring.
SET PROFILE(USER) DIV(KEYRING)PROFILE
CONNECT CERTDATA(certauth.geotrust) KEYRING(user1.ring)
The CERTDATA specified above should match the CA certificate specified on the
ACF2 insert command in step 5.
The KEYRING specified above should match the keyring specified on the ACF2
insert command in step 1.
7. Repeat all of the above steps except step 5, for each additional user certificate. Each user will have a
keyring with their user certificate and the CA certificate.
8. Ensure that SMP/E finds the certificate in the correct keyring when executing the RECEIVE ORDER
command. To do this, the keyring attribute in the ORDERSERVER data set is set as follows:
keyring="smpe_user_keyring"
certificate="cert label"
Note: The above ringname must match (case as well) the keyring name specified in
the ACF2 INSERT command from step 1.
9. Before attempting to use the defined KEYRING and CERTDATA records, you will need to issue these
operator commands to activate them:
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)
F ACF2,REBUILD(FAC)
Prior to setting up the required digital certificates as described in this document, a site needs to obtain the User Certificate and the Certificate Authority Certificate as described in the IBM SMP/E for z/OS User's Guide in the chapter on Preparing to Use Internet Service Retrieval. Be sure to upload the certificates in BINary format with RECFM=VB.
A site can establish certificates for each user or share a user certificate among multiple userids. To share a user certificate among multiple users follow the steps under SMP/E Internet Service Retrieval Shared Certificates. To establish certificates for each user follow the steps under SMP/E Internet Service Retrieval Non-Shared Certificates.
SMP/E Internet Service Retrieval Shared Certificates
This examples assumes two userids, user1 and user2 will share a single user certificate.
1. Create an ACF2 keyring for user1 to be shared with user2 or other users.
SET PROFILE(USER) DIV(KEYRING)PROFILEINSERT user1.ring -
RINGNAME(smpe_user_keyring)
Note: The above ringname must match (case as well) the keyring name specified in step
2. Add the user certificate to the ACF2 data base.
SET PROFILE(USER) DIV(CERTDATA)
INSERT user1.cert DSN('mvs.dataset.name') LABEL(cert label) -
PASSWORD(ppppppp) TRUST
3. Alter the user certificate to mark it trusted.
SET PROFILE(USER) DIV(CERTDATA)
CHANGE user1.cert TRUST
4. Connect the user certificate to your keyring.
SET PROFILE(USER) DIV(KEYRING)PROFILE
CONNECT CERTDATA(user1.cert) KEYRING(user1.ring) USAGE(CERTAUTH)
The CERTDATA specified above should match the user certificate specified on the
ACF2 insert command in step 2.
The KEYRING specified above should match the keyring specified on the ACF2 insert
command in step 1.
5. Add the GeoTrust CA certificate to the ACF2 data base. This is the Certificate Authority Certificate as
mentioned above.
SET PROFILE(USER) DIV(CERTDATA)
INSERT certauth.geotrust DSN('mvs.dataset.name2') -
LABEL(certauth.geotrust) TRUST
6. Connect the GeoTrust CA certificate to your keyring.
SET PROFILE(USER) DIV(KEYRING)PROFILE
CONNECT CERTDATA(certauth.geotrust) KEYRING(user1.ring)
The CERTDATA specified above should match the CA certificate specified on the
ACF2 insert command in step 5. If a naming convention other than "certauth." Is
used, then add the parm USAGE(CERTAUTH) to the above CONNECT command.
The KEYRING specified above should match the keyring specified on the ACF2
insert command in step 1.
7. Give USER2 permission to read other users' keyrings and certificates as shown in this example:
$KEY(IRR) TYPE(FAC)
DIGTCERT.LIST UID(user2 UID string) SERVICE(READ)ALLOW
DIGTCERT.LISTRING UID(user2 UID string) SERVICE(UPDATE) ALLOW
The UID string coded in the above rules can be coded to allow the desired users that
are to share the certificate.
8. Ensure that SMP/E finds the certificate in the correct keyring when executing the RECEIVE ORDER
command. To do this, USER2 must specify not only the keyring name, but also the userid associated
with the keyring, USER1, on the keyring attribute in the ORDERSERVER data set as follows:
keyring="smpe_user_keyring"
certificate="cert label"
Note: The above ringname must match (case as well) the keyring name specified in the ACF2 INSERT
command from step 1.
9. Before attempting to use the defined KEYRING and CERTDATA records, you will need to issue these
operator commands to activate them:
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)
F ACF2,REBUILD(FAC)
SMP/E Internet Service Retrieval Non-Shared Certificates
1. Create an ACF2 keyring for user1.
SET PROFILE(USER) DIV(KEYRING)PROFILE
INSERT user1.ring RINGNAME(smpe_user_keyring)
2. Add the user certificate to the ACF2 data base.
SET PROFILE(USER) DIV(CERTDATA)
INSERT user1.cert DSN('mvs.dataset.name') LABEL(cert label) -
PASSWORD(ppppppp) TRUST
3. Alter the user certificate to mark it trusted.
SET PROFILE(USER) DIV(CERTDATA)
CHANGE user1.cert TRUST
4. Connect the user certificate to your keyring.
SET PROFILE(USER) DIV(KEYRING)PROFILE
CONNECT CERTDATA(user1.cert) KEYRING(user1.ring)
The CERTDATA specified above should match the user certificate specified on the
ACF2 insert command in step 2.
The KEYRING specified above should match the keyring specified on the ACF2
insert command in step 1.
5. Add the GeoTrust CA certificate to the ACF2 data base. This is the Certificate Authority Certificate as
mentioned above.
SET PROFILE(USER) DIV(CERTDATA)
INSERT certauth.geotrust DSN('mvs.dataset.name2') -
LABEL(certauth.geotrust) TRUST
6. Connect the GeoTrust CA certificate to your keyring.
SET PROFILE(USER) DIV(KEYRING)PROFILE
CONNECT CERTDATA(certauth.geotrust) KEYRING(user1.ring)
The CERTDATA specified above should match the CA certificate specified on the
ACF2 insert command in step 5.
The KEYRING specified above should match the keyring specified on the ACF2
insert command in step 1.
7. Repeat all of the above steps except step 5, for each additional user certificate. Each user will have a
keyring with their user certificate and the CA certificate.
8. Ensure that SMP/E finds the certificate in the correct keyring when executing the RECEIVE ORDER
command. To do this, the keyring attribute in the ORDERSERVER data set is set as follows:
keyring="smpe_user_keyring"
certificate="cert label"
Note: The above ringname must match (case as well) the keyring name specified in
the ACF2 INSERT command from step 1.
9. Before attempting to use the defined KEYRING and CERTDATA records, you will need to issue these
operator commands to activate them:
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)
F ACF2,REBUILD(FAC)
Feedback
Yes
No
Powered by
