How to set up a keystore .jks and a truststore.jks that is needed for a new product installation?
Release : 16.0
Component : ACF2 for z/OS
There are two options to generate certificates using ACF2 or Keytool (or any other USS tool) as explained below using some sample commands:
1. Create keystore using ACF2:
a. Generate the server certificate and sign it with the self-signed CA certificate or get it signed from external CA for the product according to its instructions on generating the needed certificates.
ACF2 can be used to generate a certificate using GENCERT command.
b. Export the server certificate and its associated private key to an MVS data set.
ACF
EXPORT name.cert DSNAME(dataset.name) FORMAT(PKCS12DER) PASSWORD(storepass)
END
The PASSWORD(storepass) option assigns a password to the keystore.
c. Copy the MVS data set to a z/OS UNIX file
OPUT dataset.name 'path of USS file system where keystore.jks will be stored' BINARY
2. Create keystore using keytool:
a. Generate a self-signed certificate. Issue the following command:
keytool -genkey -alias alias -keysize keysize -dname "dname"
-validity valDays -keystore keystore -storepass storepass
b. Create CSR request to get the certificate signed
keytool -certreq -alias alias -keystore keystore -storepass storepass -file filename
c. Import the signed certificate back to USS
keytool -import -alias alias -keystore keystore -storepass storepass -file filename