Convert RACF commands to TSS which is used to configure CTG.
Component: TSSMVS
1. Create a CA certificate that is self-signed on the server (in RACF):
RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU(’CTG TEST’) O(’IBM’)
T(’CTG CA CERT’) C(’GB’)) KEYUSAGE(CERTSIGN) WITHLABEL(’CTG CA CERT’)
TSS GENCERT(CERTAUTH) DIGICERT(CTGCA) -
SUBJECTN('OU="CTG TEST" O="OBM" T="CTG CA CERT" C=""GB"') -
KEYUSAGE(CERTSIGN) LABLCERT('CTG CA CERT')
2. Refresh the RACF class:
SETR RACLIST(DIGTCERT) REFRESH
Not needed in TSS. Refresh is dynamically done in TSS.
4. List the certificate:
RACDCERT CERTAUTH LIST(LABEL(’CTG CA CERT’))
TSS LIST(CERTAUTH) DIGICERT(CTGCA)
5. Create a personal certificate on the server and sign it with your CA certificate:
RACDCERT ID(CTGUSER) GENCERT SUBJECTSDN(OU(’CTG TEST’) O(’IBM’)
T(’CTG PERSONAL CERT’) C(’GB’)) WITHLABEL(’CTG PERSONAL CERT’)
SIGNWITH(CERTAUTH LABEL(’CTG CA CERT’))
CTGUSER must be a valid RACF user ID.
TSS GENCERT(CTGUSER) DIGICERT(CTGCERT) -
SUBJECTN('OU="CTG TEST" O="IBM" T="CTG PERSONAL CERT" C="GB"’) -
LABLCERT(’CTG PERSONAL CERT’) SIGNWITH(CERTAUTH,CTGCA)
6. Refresh the RACF class:
SETR RACLIST(DIGTCERT) REFRESH
Not needed in TSS. Refresh is dynamically done in TSS.
7. Create a keyring where certificates are stored:
RACDCERT ADDRING(CTGSERVERKEYRING) ID(CTGUSER)
TSS ADD(CTGUSER) KEYRING(CTGRING) LABLRING(CTGSERVERKEYRING)
8. Add the CA certificate and personal certificate to the keyring:
a. Add the CA certificate to the keyring:
RACDCERT ID(CTGUSER) CONNECT(CERTAUTH LABEL(’CTG CA CERT’)
RING(CTGSERVERKEYRING) USAGE(CERTAUTH))
TSS ADD(CTGUSER) KEYRING(CTGRING) RINGDATA(CERTAUTH,CTGCA) USAGE(CERTAUTH)
b. Add the personal certificate to the keyring:
RACDCERT ID(CTGUSER) CONNECT(LABEL(’CTG PERSONAL CERT’)
RING(CTGSERVERKEYRING)
DEFAULT USAGE(PERSONAL))
TSS ADD(CTGUSER) KEYRING(CTGRING) RINGDATA(CTGUSER,CTGCERT) -
USAGE(PERSONAL) DEFAULT
9. List the keyring to confirm that it contains the certificates:
RACDCERT LISTRING(CTGSERVERKEYRING) ID(CTGUSER)
TSS LIST(CTGUSER) SEGMENT(RINGDATA)
10. Export the personal certificate to a file on the server:
RACDCERT ID(CTGUSER) EXPORT(LABEL(’CTG PERSONAL CERT’))
DSN(’CTGUSER.PERSONAL.CERT’) FORMAT(CERTB64)
FORMAT(CERTB64) specifies that the certificate is stored in ASCII format.
TSS EXPORT(CTGUSER) DIGICERT(CTGCERT) DSN(’CTGUSER.PERSONAL.CERT’)
FORMAT(CERTB64)