search cancel

How to authorize domains for use in a certificate stored inACF2 before they can be validated

book

Article ID: 257984

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Renewing some Websphere Certificates on the mainframe. Trying to add new domains to the Certificate Services account to allow a site to issue SSL/TLS certificates for the domains. How can a site authorize the domains for use in a certificate before they can be validated?

 

Environment

Release : 16.0

Resolution

All three z/OS External Security Managers(ACF2, Top Secret and RACF) support the GENCERT ALtname parameter which specifies the IP, DOMAIN, EMAIL, or URI values for the subjectAltName extension. One or more of the values can be specified however multiple entries of the same type are not supported, for example, two DOMAIN or two IP values cannot be specified but one DOMAIN, one IP, one EMAIL and one URI value can be specified in the ALTNAME parameter. You can create the certificate by other means such as System SSL gskkyman utility, openSSL, Keytool or an External Certificate Authority with mutliple DOMAINs and then INSERT/import the certificate into the ACF2 security database.

With ACF2 and Top Secret allow an ALTNAME value to be added to the certificate when using the 'RENEW' command however it also is limited to a single IP, DOMAIN, EMAIL, or URI value.

ACF2 is not involved in the "authorization for these domains". ACF2 will return certificates CONNECTed to a Keyring in response to the client or server's R_datalib calls. It is the client or server application that validates the domains. So in this regard there is no ACF2 configuration or changes required for authorization to the domains in certificates.

'Add the Random Value to the DNS entry for your domain DNS record using the specific _pki-validation path' is not a GENCERT option for z/OS ESMs. For certificates created(GENCERT subcommand) the domain can be specified in the subject's distinguished name or in the ALTNAME. Note that the three z/OS ESMs GENCERT commands offer basic certificate options related to domain names so sites with more advanced domain name requirements would need to be created by other means as mentioned previously(using System SSL gskkyman utility, openSSL, Keytool or an External Certificate Authority) however the certificates can be inserted/imported in the z/OS ESM's  database.