Convert RACF command to TSS for CTG Digital Certificate Setup
search cancel

Convert RACF command to TSS for CTG Digital Certificate Setup

book

Article ID: 44622

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Convert  RACF commands to TSS which is used to configure CTG.

 

 

 

 

 

Environment

 Component: TSSMVS

Resolution

1. Create a CA certificate that is self-signed on the server (in RACF):
RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU(’CTG TEST’) O(’IBM’)
T(’CTG CA CERT’) C(’GB’)) KEYUSAGE(CERTSIGN) WITHLABEL(’CTG CA CERT’)


TSS GENCERT(CERTAUTH) DIGICERT(CTGCA) -
SUBJECTN('OU="CTG TEST" O="OBM" T="CTG CA CERT" C=""GB"') -
KEYUSAGE(CERTSIGN) LABLCERT('CTG CA CERT')


2. Refresh the RACF class:
SETR RACLIST(DIGTCERT) REFRESH

Not needed in TSS. Refresh is dynamically done in TSS.

4. List the certificate:
RACDCERT CERTAUTH LIST(LABEL(’CTG CA CERT’))

TSS LIST(CERTAUTH) DIGICERT(CTGCA)

5. Create a personal certificate on the server and sign it with your CA certificate:
RACDCERT ID(CTGUSER) GENCERT SUBJECTSDN(OU(’CTG TEST’) O(’IBM’)
T(’CTG PERSONAL CERT’) C(’GB’)) WITHLABEL(’CTG PERSONAL CERT’)
SIGNWITH(CERTAUTH LABEL(’CTG CA CERT’))
CTGUSER must be a valid RACF user ID.

TSS GENCERT(CTGUSER) DIGICERT(CTGCERT) -
SUBJECTN('OU="CTG TEST" O="IBM" T="CTG PERSONAL CERT" C="GB"’) -
LABLCERT(’CTG PERSONAL CERT’) SIGNWITH(CERTAUTH,CTGCA)

6. Refresh the RACF class:
SETR RACLIST(DIGTCERT) REFRESH

Not needed in TSS. Refresh is dynamically done in TSS.

7. Create a keyring where certificates are stored:
RACDCERT ADDRING(CTGSERVERKEYRING) ID(CTGUSER)

TSS ADD(CTGUSER) KEYRING(CTGRING) LABLRING(CTGSERVERKEYRING)

8. Add the CA certificate and personal certificate to the keyring:
a. Add the CA certificate to the keyring:
RACDCERT ID(CTGUSER) CONNECT(CERTAUTH LABEL(’CTG CA CERT’)
RING(CTGSERVERKEYRING) USAGE(CERTAUTH))

TSS ADD(CTGUSER) KEYRING(CTGRING) RINGDATA(CERTAUTH,CTGCA) USAGE(CERTAUTH)

b. Add the personal certificate to the keyring:
RACDCERT ID(CTGUSER) CONNECT(LABEL(’CTG PERSONAL CERT’)
RING(CTGSERVERKEYRING)
DEFAULT USAGE(PERSONAL))

TSS ADD(CTGUSER) KEYRING(CTGRING) RINGDATA(CTGUSER,CTGCERT) -
USAGE(PERSONAL) DEFAULT

9. List the keyring to confirm that it contains the certificates:
RACDCERT LISTRING(CTGSERVERKEYRING) ID(CTGUSER)

TSS LIST(CTGUSER) SEGMENT(RINGDATA)

10. Export the personal certificate to a file on the server:
RACDCERT ID(CTGUSER) EXPORT(LABEL(’CTG PERSONAL CERT’))
DSN(’CTGUSER.PERSONAL.CERT’) FORMAT(CERTB64)
FORMAT(CERTB64) specifies that the certificate is stored in ASCII format.

TSS EXPORT(CTGUSER) DIGICERT(CTGCERT) DSN(’CTGUSER.PERSONAL.CERT’)
FORMAT(CERTB64)