Description of the environment:
Here we have two CICS regions, respectively named CTS510A and CTS510B.
CTS510A has added to it a digital certificate named DCCTS51A. This certificate is signed by an intermediate certificate. The intermediate certificate is signed by a root certificate. These three certificates make the certificate chain.
The certificate chain is added to both cics regions CTS510A and CTS510B keyring.
Now we want to install a cics group with a TCPIPSERVICE resource using SSL. This process requires the private key of the certificate to be read.
It means that CTS510B needs to be allowed to read the private key of certificate DCCTS51A which belongs to CTS510A.
Below is an example of what these certificates could look like:
ACCESSORID = CTS510A NAME = CTS 510 REGION ACID
TYPE = USER SIZE = 512 BYTES
FACILITY = BATCH
ADMIN BY= BY(USER01 ) SMFID(LPAR) ON(07/11/2013) AT(11:19:19)
FACILITY = STC
ADMIN BY= BY(USER01 ) SMFID(LPAR) ON(07/11/2013) AT(11:19:19)
DEPT ACID = BRUSDEP1 DEPARTMENT = DEP 1 BRUSSELS
DIV ACID = BRUSDIV1 DIVISION = DIV 1 BRUSSELS
ZONE ACID = BRUSSELS ZONE = ZONE BRUSSELS
CREATED = 07/11/13 11:18 LAST MOD = 23/06/14 11:25
GROUPS = OMVSGRP
BYPASSING = NODSNCHK,NOVOLCHK,NORESCHK
LAST USED = 01/06/15 08:07 CPU(LPAR) FAC(STC ) COUNT(00037)
MASTER FAC = CICSPROD
DFLTGRP = OMVSGRP
----------- SEGMENT OMVS
HOME = /
OMVSPGM = bin/sh
UID = 0000005110
----------- SEGMENT CERTDATA
DIGICERT = DCCTS51A ACCESSORID = CTS510A
ADMIN BY= BY(USER01 ) SMFID(LPAR) ON(12/09/2013) AT(09:59:13)
LABEL = TSS_CTS510A_certificate_label
STATUS = TRUST
SERIAL# = 01
ISSUER DISTINGUISHED NAME:
.CN=LPAR-Authority.T=CICS-LPAR.OU=CICS-Signed-LPAR.O=CA.L= -
Islandia.ST=NY.C=US
SUBJECT DISTINGUISHED NAME:
CN=CTS510A-Cert.T=CTS-510A.OU=CTS-LPAR.O=CA.L=Islandia.ST= -
NY.C=US
KEYUSAGE:
HANDSHAKE
PRIVATE KEY SIZE = 2048
PRIVATE KEY TYPE = RSA
ALGORITHM = sha256WithRSAEncryption
NOT BEFORE = 2013/11/26 00:00:00 UTC
NOT AFTER = 2015/11/26 23:59:59 UTC
CERTIFICATE WAS SIGNED BY: ACID(CERTAUTH) DIGICERT(LPARSIGN)
CERTIFICATE IS CONNECTED TO THE FOLLOWING KEYRINGS:
ACID(CTS510A ) KEYRING(KRCTS510)
ACID(CTS510B ) KEYRING(KRCTS51B)
ACID(CTS420A ) KEYRING(KRCTS420)
ACID(CTS420B ) KEYRING(KRCTS42B)
DIGICERT = DCCTS51X ACCESSORID = CTS510A
ADMIN BY= BY(USER01 ) SMFID(LPAR) ON(06/23/2014) AT(11:25:25)
LABEL = TSS_CTS510X_certificate_label
STATUS = TRUST
SERIAL# = 02
ISSUER DISTINGUISHED NAME:
.CN=LPAR-Authority.T=CICS-LPAR.OU=CICS-Signed-LPAR.O=CA.L= -
Islandia.ST=NY.C=US
SUBJECT DISTINGUISHED NAME:
CN=CTS510X-Cert.T=CTS-510X.OU=CTS-LPAR.O=CA.L=Islandia.ST= -
NY.C=US
KEYUSAGE:
HANDSHAKE
PRIVATE KEY SIZE = 2048
PRIVATE KEY TYPE = RSA
ALGORITHM = sha256WithRSAEncryption
NOT BEFORE = 2014/06/23 00:00:00 UTC
NOT AFTER = 2015/06/23 23:59:59 UTC
CERTIFICATE WAS SIGNED BY: ACID(CERTAUTH) DIGICERT(LPARSIGN)
----------- SEGMENT RINGDATA
KEYRING = KRCTS510 ACCESSORID = CTS510A
ADMIN BY= BY(USER01 ) SMFID(LPAR) ON(11/26/2013) AT(17:18:11)
KEYRING LABEL = CTS510A_Keyring_Label
KEYRING HAS THE FOLLOWING CERTIFICATES CONNECTED:
ACID(CERTAUTH) DIGICERT(DCAUTH00) DEFAULT(NO ) USAGE(CERTAUTH)
LABLCERT(DCAUTH00 )
ACID(CERTAUTH) DIGICERT(LPARSIGN) DEFAULT(NO ) USAGE(CERTAUTH)
LABLCERT(TSS_CICS_LPAR_certificate_label )
ACID(CTS510A ) DIGICERT(DCCTS51A) DEFAULT(YES) USAGE(PERSONAL)
LABLCERT(TSS_CTS510A_certificate_label )
ACCESSORID = CTS510B NAME = CTS 510 REGION ACID
TYPE = USER SIZE = 512 BYTES
FACILITY = BATCH
ADMIN BY= BY(USER01 ) SMFID(LPAR) ON(27/11/2013) AT(10:29:12)
FACILITY = STC
ADMIN BY= BY(USER01 ) SMFID(LPAR) ON(27/11/2013) AT(10:29:12)
DEPT ACID = BRUSDEP1 DEPARTMENT = DEP 1 BRUSSELS
DIV ACID = BRUSDIV1 DIVISION = DIV 1 BRUSSELS
ZONE ACID = BRUSSELS ZONE = ZONE BRUSSELS
CREATED = 27/11/13 10:28 LAST MOD = 03/12/13 15:33
GROUPS = OMVSGRP
ATTRIBUTES = TRACE
BYPASSING = NODSNCHK,NOVOLCHK,NORESCHK
LAST USED = 04/12/13 14:18 CPU(LPAR) FAC(STC ) COUNT(00003)
MASTER FAC = CICSPROD
DFLTGRP = OMVSGRP
----------- SEGMENT OMVS
HOME = /
OMVSPGM = bin/sh
UID = 0000005111
----------- SEGMENT RINGDATA
KEYRING = KRCTS51B ACCESSORID = CTS510B
ADMIN BY= BY(USER01 ) SMFID(LPAR) ON(11/27/2013) AT(10:37:44)
KEYRING LABEL = CTS510B_Keyring_Label
KEYRING HAS THE FOLLOWING CERTIFICATES CONNECTED:
ACID(CERTAUTH) DIGICERT(DCAUTH00) DEFAULT(NO ) USAGE(CERTAUTH)
LABLCERT(DCAUTH00 )
ACID(CERTAUTH) DIGICERT(LPARSIGN) DEFAULT(NO ) USAGE(CERTAUTH)
LABLCERT(TSS_CICS_LPAR_certificate_label )
ACID(CTS510A ) DIGICERT(DCCTS51A) DEFAULT(YES) USAGE(PERSONAL)
LABLCERT(TSS_CTS510A_certificate_label )
So, in order for CTS510B to read the private key of certificate DCCTS51A, it must be permitted to the RDATALIB resource:
ringowner.ringname.LST
In Top Secret terms: TSS PER(CTS510B) RDATALIB(ringowner.ringname.LST) ACCESS(READ)
In this case, the ringowner is CTS510B, see CTS510B's SEGMENT RINGDATA.
The ringname is the label of the keyring: "TSS_CTS510A_certificate_label".