search cancel

Set up a keystore .jks and a truststore .jks

book

Article ID: 239120

calendar_today

Updated On:

Products

ACF2

Issue/Introduction

How to set up a keystore .jks and a truststore.jks that is needed for a new product installation?

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

There are two options to generate certificates using ACF2 or Keytool (or any other USS tool) as explained below using some sample commands: 

                                                             
1. Create keystore using ACF2:
a. Generate the server certificate and sign it with the self-signed CA certificate or get it signed from external CA for the product according to its instructions on generating the needed certificates.

ACF2 can be used to generate a certificate using GENCERT command. 

b. Export the server certificate and its associated private key to an MVS data set.
ACF
EXPORT name.cert DSNAME(dataset.name) FORMAT(PKCS12DER) PASSWORD(storepass)
END

The PASSWORD(storepass) option assigns a password to the keystore.

c. Copy the MVS data set to a z/OS UNIX file
OPUT dataset.name 'path of USS file system where keystore.jks will be stored' BINARY

2. Create keystore using keytool: 

a. Generate a self-signed certificate. Issue the following command:
keytool -genkey -alias alias -keysize keysize -dname "dname"
                -validity valDays -keystore keystore -storepass storepass

b. Create CSR request to get the certificate signed
keytool -certreq -alias alias -keystore keystore -storepass storepass -file filename

c. Import the signed certificate back to USS
keytool -import -alias alias -keystore keystore -storepass storepass -file filename