This example shows you how to use a RACF® keyring
as an SSL keystore.
Before you begin
This topic is an example of how to use a RACF keyring
as an SSL keystore. For complete information, see the instructions in the Liberty
documentation.
About this task
You must set the HBRSSLKEYSTORE property to the value SAF
to use a SAF keyring such as RACF.
First, create a signing certificate.
Then, use this signing certificate to create a server certificate.
Finally, export the signing certificate to the client web browser
where it is used to authenticate the server certificate.
Procedure
- Configure the server. If you already have a certificate, skip steps a and b:
- Create a certificate authority (CA) certificate (signing certificate).
This example uses RACF commands in ASCII:
RACDCERT GENCERT
CERTAUTH
SUBJECTSDN(CN('ODM Sample Certification Authority')
O('IBM')
OU('ODM'))
SIZE(2048)
WITHLABEL('ODM-Sample-Certification')
- Create a server certificate that uses the signing certificate from the previous step, where
<userid>
is the zRule Execution Server for z/OS started task user ID.The
hostname
is the host name of the server that the zRES is running
on.
RACDCERT ID(<userid>) GENCERT
SUBJECTSDN(CN('<hostname>')
O('IBM')
OU('ODM'))
SIZE(2048)
SIGNWITH (CERTAUTH LABEL('ODM-Sample-Certification'))
WITHLABEL('<userid>-zRES')
ALTNAME(DOMAIN('<hostname>'))
- You need a keyring, to which you can add the two certificates. Create a keyring by running the
following command, where
<userid>
is the zRule Execution Server for z/OS started task user ID and
<keyring>
is the name of the new
keyring.RACDCERT ADDRING(<keyring>) ID(<userid>)
Alternatively,
you can locate an existing keyring by running this
command:
RACDCERT LISTRING(*) ID(<userid>)
- Run these commands to connect the certificates to the keyring you created or located in the
previous step. If you use your own certification, use its
LABEL
to connect the
certificate to the keyring.RACDCERT ID(<userid>)
CONNECT(RING(<keyring>)
LABEL('<userid>-zRES')
USAGE(PERSONAL) DEFAULT)
RACDCERT ID(<userid>) CONNECT(RING(<keyring>)
LABEL('<userid>-zRES'))
- Edit the ++HBRWORKPATH++/servers/sslSAF.xml file and add
the following XML.
The SAF keyring must be specified in the URL form
safkeyring://<userid>/<keyring>. The
<userid>
value must be set to the zRule Execution Server for z/OS started task user ID and the
<keyring>
value must be set to the name of the keyring. The password field is
not used for accessing the SAF keyring and must be set to
password
.
<keyStore filebased="false" id="racfKeyStore"
location="safkeyring://<userid>/<keyring>"
password="password"
readOnly="true"
type="JCERACFKS"/>
<ssl id="defaultSSLConfig" keyStoreRef="racfKeyStore"
sslProtocol="SSL_TLSv2"
serverKeyAlias="<userid>-zRES" />
Important: If you use your own
certificate, put its LABEL
in the serverKeyAlias
value to replace
"<userid>-zRES"
.
- If you have a self-signed certificate, follow these steps to configure your browser to
accept the certificate:
- Export the signing certificate to a CER
file:
RACDCERT CERTAUTH EXPORT(LABEL('ODM-Sample-Certification'))
DSN('<userid>.CERT.ZRESCERT')
FORMAT(CERTDER)
PASSWORD('password')
- FTP the exported certificate in binary to your workstation, and import it into your browser.
When importing you must manually select the certificate location of "Trusted Root Certification
Authorities". Allowing automatic location selection results in the certificate being stored in the
wrong location. If using the Chrome browser you must close all browser windows, and kill any
remaining tasks, for the change to take effect.
Results
SSL for a zRule Execution Server for z/OS is successfully configured for a RACF keyring.
The certificates generated in these steps use the SHA-1 hashing algorithm for signing. To achieve
a higher level of security, SHA-2 should be used. For instructions on how to achieve this, see z/OS Security Server RACF Command Language Reference.