Top Secret commands to Configure a keyring-based keystore (JCERACFKS) for WMLz
search cancel

Top Secret commands to Configure a keyring-based keystore (JCERACFKS) for WMLz

book

Article ID: 279475

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

The IBM Watson Machine Learning for z/OS Enterprise Edition contains instructions to Configure a keyring-based keystore (JCERACFKS) for WMLz

The instructions are to do the definitions in RACF.

This article translates the RACF commands to Top Secret commands.

 

Resolution

This is the translation of the RACF commands to TSS:



Step 1.- Create the Keyring 

 

RACF command:


RACDCERT ADDRING(WMLZRING) ID(WMLZID)




Top Secret command:


TSS ADD(WMLZID) KEYRING(WMLZRING) LABLRING('WMLZRING')



Step 2.- Generate a CA (certificate authority) certificate   

 

RACF command:


RACDCERT GENCERT CERTAUTH +  
SUBJECTSDN( + 
      CN('PLEXE2') + 
      C('US') + 
      SP('CA') + 
      L('SAN JOSE') + 
      O('IBM') + 
      OU('WMLZ') + 
) + 
ALTNAME( + 
      EMAIL('[email protected]') + 
) +  
WITHLABEL('WMLZCACert') +  
NOTAFTER(DATE(2030/01/01))


Top Secret Command:



TSS GENCERT(CERTAUTH) DIGICERT(root_digicert_name) -
 SUBJECTN('CN="PLEXE2" C="US" SP="CA" L="SAN JOSE" O="IBM" OU="WMLZ"') -
 LABLCERT('WMLZCACert') NADATE(01/01/2030) -
 ALTNAME('[email protected]')


 

Step 3.- Generate and sign a user certificate for <mlz_setup_userid>



RACF command:


RACDCERT GENCERT ID(WMLZID) + 
SUBJECTSDN( + 
      CN('PLEXE2') +  
      C('US') + 
      SP('CA') +  
      L('SAN JOSE') + 
      O('IBM') +
      OU('WMLZ-USER') +   
) +  
ALTNAME( + 
      IP(9.1.2.3) +
      DOMAIN('svl.ibm.com') +
      EMAIL('[email protected]') + 
) + 
WITHLABEL('WMLZCert_WMLZID') +  
SIGNWITH(CERTAUTH LABEL('WMLZCACert')) + 
RSA SIZE(2048) + 
NOTAFTER(DATE(2022/01/01))


Top Secret Command:


TSS GENCERT(WMLZID) DIGICERT(certname) -
 SUBJECTN('CN="PLEXE2" C="US" SP="CA" L="SAN JOSE" O="IBM" OU="WMLZ-USER"') -
 LABLCERT('WMLZCert_WMLZID') -
 ALTNAME('IP=9.1.2.3 DOMAIN=svl.ibm.com [email protected]') -
 SIGNWITH(CERTAUTH,WMLZCACert) -
 KEYSIZE(2048) -
 NADATE(01/01/2022)



Step 4.-  Connect the user certificate and the CA certificate to the keyring you created and add usage options

Racf Command:


RACDCERT ID(WMLZID) CONNECT(CERTAUTH LABEL('WMLZCACert') +     
RING(WMLZRING))                                  



Top Secret command:


TSS ADD(WMLZID) KEYRING(WMLZRING) RINGDATA(CERTAUTH,WMLZCACert)


RACF Command:


RACDCERT ID(WMLZID) CONNECT(ID(WMLZID) LABEL('WMLZCert_WMLZID') + 
RING(WMLZRING) USAGE(PERSONAL) DEFAULT) 


Top Secret Command:


TSS ADD(WMLZID) KEYRING(WMLZRING) RINGDATA(WMLZID,WMLZCert_WMLZID) -
 USAGE(PERSONAL) DEFAULT

 

 

Step 5.- Grant <mlz_setup_userid> permission to access the keyring and the CA certificate.    

 

Racf command:


RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(<mlz_setup_userid>) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH


Top Secret commands:


TSS ADD(owning_acid) IBMFAC(IRR.DIGTCERT.LIST)    Note: May already be done.
TSS PERMIT(mlz_setup_userid) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(READ)


Racf Command:


RDEFINE RDATALIB WMLZID.WMLZRING.LST UACC(NONE) 
SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB) 
SETROPTS CLASSACT(RDATALIB)
PERMIT WMLZID.WMLZRING.LST CLASS(RDATALIB) ID(<mlz_setup_userid>) ACCESS(READ)
SETROPTS RACLIST(RDATALIB) REFRESH



Top Secret commands:


TSS ADD(acid) RDATALIB(WMLZID.WMLZRING.LST)
TSS PERMIT(mlz_setup_userid) RDATALIB(WMLZID.WMLZRING.LST) ACCESS(READ)



 

Powered by Wolken Software