How to create a certificate in RACF

By UID 0
|
January 31, 2025
| No Comments

Creating certificates in RACF involves several steps.1 Here’s a breakdown of the process, along with important considerations:

Prerequisites

  • RACF Privileges: You’ll need appropriate privileges to the DIGTCERT class to manage key rings and certificates. This usually includes READ access for your own user ID and CONTROL access to add CERTSITE or CERTAUTH certificates.
  • Understanding Key Rings: Key rings are RACF objects that store digital certificates and their associated private keys. You’ll need to create or use an existing key ring to hold your certificate.2

Steps to Create a Certificate

  1. Generate a Key Ring (if one doesn’t exist)3
    • Use the RACDCERT ADDRING command to create a key ring. RACDCERT ID(your_userid) ADDRING(keyring_name)
  2. Generate the Certificate
    • Use the RACDCERT GENCERT command to generate the certificate. You’ll need to provide information about the certificate’s subject (who it’s for), intended usage, and other details. RACDCERT GENCERT ID(your_userid) SUBJECTSDN('CN(common_name) OU(organizational_unit) O(organization) L(locality) S(state) C(country)') ALTNAME(DOMAIN(domain_name)) KEYUSAGE(usage_type) SIZE(key_size) WITHLABEL('certificate_label')
      • SUBJECTSDN: Specifies the subject’s distinguished name.4
      • ALTNAME: Provides alternative names for the certificate (e.g., domain names).5
      • KEYUSAGE: Defines the certificate’s intended use (e.g., HANDSHAKE for TLS/SSL).
      • SIZE: Specifies the key size (e.g., 2048 bits).
      • WITHLABEL: Assigns a label to the certificate for easy identification.6
  3. Generate a Certificate Signing Request (CSR)
    • Use the RACDCERT GENREQ command to create a CSR. This request contains your public key and information about the certificate.7RACDCERT GENREQ(LABEL('certificate_label')) ID(your_userid) DSN('dataset_name')
      • The CSR will be stored in the specified dataset.8
  4. Submit the CSR to a Certificate Authority (CA)
    • Download the CSR from the dataset and send it to a trusted CA (e.g., VeriSign, Let’s Encrypt).9 The CA will verify your information and issue a signed certificate.10
  5. Receive the Signed Certificate and CA Certificates
    • The CA will provide you with your signed certificate, a root CA certificate, and possibly intermediate CA certificates.
  6. Store the Certificates in RACF
    • Add the signed certificate: RACDCERT ADD('dataset_containing_signed_certificate') ID(your_userid) TRUST WITHLABEL('certificate_label')
    • Connect the signed certificate to your key ring: RACDCERT ID(your_userid) CONNECT(ID(your_userid) LABEL('certificate_label') RING(keyring_name) USAGE(PERSONAL) DEFAULT)
    • Add and connect the root CA certificate (and any intermediate certificates) to the CERTAUTH virtual key ring:11 RACDCERT ADD('dataset_containing_root_certificate') CERTAUTH TRUST WITHLABEL('ca_certificate_label') RACDCERT ID(your_userid) CONNECT(CERTAUTH LABEL('ca_certificate_label') RING(keyring_name) USAGE(CERTAUTH))
  7. Refresh the DIGTCERT Class (if necessary)
    • If the DIGTCERT class is RACLISTed, refresh it to activate your changes: SETROPTS RACLIST(DIGTCERT) REFRESH

Important Considerations

  • Certificate Authority (CA): Choose a reputable CA to ensure the trustworthiness of your certificates.
  • Key Size: Use an appropriate key size (e.g., 2048 bits or higher for RSA keys) to ensure strong security.
  • Certificate Validity: Certificates have an expiration date. Make sure to renew them before they expire to avoid disruptions.
  • Key Usage: Specify the correct key usage to restrict the certificate to its intended purpose.
  • Security: Protect your private keys. Never share them with unauthorized individuals.

Troubleshooting

  • Error Messages: Pay close attention to any error messages returned by RACF commands. They often provide clues about the cause of the problem.
  • RACF Reports: Use RACF reporting tools to check the status of your key rings and certificates.

Additional Resources

  • IBM Documentation: Refer to the official IBM RACF documentation for detailed information about the RACDCERT command and related topics.
  • Broadcom Techdocs: Broadcom provides helpful guides and examples for managing certificates in RACF.12

By following these steps and considering the important points, you can successfully create and manage certificates in RACF.

Certificates