Convert RACF command to TSS for CTG Digital Certificate Setup

Document ID : KB000044622
Last Modified Date : 14/02/2018
Show Technical Document Details

Questions:

Need to convert some RACF command to TSS which is used to configure CTG.

 

Answer:

1. Create a CA certificate that is self-signed on the server (in RACF): 
RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU(’CTG TEST’) O(’IBM’) 
T(’CTG CA CERT’) C(’GB’)) KEYUSAGE(CERTSIGN) WITHLABEL(’CTG CA CERT’) 


TSS GENCERT(CERTAUTH) DIGICERT(CTGCA) - 
SUBJECTN('OU="CTG TEST" O="OBM" T="CTG CA CERT" C=""GB"') - 
KEYUSAGE(CERTSIGN) LABLCERT('CTG CA CERT') 


2. Refresh the RACF class: 
SETR RACLIST(DIGTCERT) REFRESH 

Not needed in TSS. Refresh is dynamically done in TSS. 

4. List the certificate: 
RACDCERT CERTAUTH LIST(LABEL(’CTG CA CERT’)) 

TSS LIST(CERTAUTH) DIGICERT(CTGCA) 

5. Create a personal certificate on the server and sign it with your CA certificate: 
RACDCERT ID(CTGUSER) GENCERT SUBJECTSDN(OU(’CTG TEST’) O(’IBM’) 
T(’CTG PERSONAL CERT’) C(’GB’)) WITHLABEL(’CTG PERSONAL CERT’) 
SIGNWITH(CERTAUTH LABEL(’CTG CA CERT’)) 
CTGUSER must be a valid RACF user ID. 

TSS GENCERT(CTGUSER) DIGICERT(CTGCERT) - 
SUBJECTN('OU="CTG TEST" O="IBM" T="CTG PERSONAL CERT" C="GB"’) - 
LABLCERT(’CTG PERSONAL CERT’) SIGNWITH(CERTAUTH,CTGCA) 

6. Refresh the RACF class: 
SETR RACLIST(DIGTCERT) REFRESH 

Not needed in TSS. Refresh is dynamically done in TSS. 

7. Create a keyring where certificates are stored: 
RACDCERT ADDRING(CTGSERVERKEYRING) ID(CTGUSER) 

TSS ADD(CTGUSER) KEYRING(CTGRING) LABLRING(CTGSERVERKEYRING) 

8. Add the CA certificate and personal certificate to the keyring: 
a. Add the CA certificate to the keyring: 
RACDCERT ID(CTGUSER) CONNECT(CERTAUTH LABEL(’CTG CA CERT’) 
RING(CTGSERVERKEYRING) USAGE(CERTAUTH)) 

TSS ADD(CTGUSER) KEYRING(CTGRING) RINGDATA(CERTAUTH,CTGCA) USAGE(CERTAUTH) 

b. Add the personal certificate to the keyring: 
RACDCERT ID(CTGUSER) CONNECT(LABEL(’CTG PERSONAL CERT’) 
RING(CTGSERVERKEYRING) 
DEFAULT USAGE(PERSONAL)) 

TSS ADD(CTGUSER) KEYRING(CTGRING) RINGDATA(CTGUSER,CTGCERT) - 
USAGE(PERSONAL) DEFAULT 

9. List the keyring to confirm that it contains the certificates: 
RACDCERT LISTRING(CTGSERVERKEYRING) ID(CTGUSER) 

TSS LIST(CTGUSER) SEGMENT(RINGDATA) 

10. Export the personal certificate to a file on the server: 
RACDCERT ID(CTGUSER) EXPORT(LABEL(’CTG PERSONAL CERT’)) 
DSN(’CTGUSER.PERSONAL.CERT’) FORMAT(CERTB64) 
FORMAT(CERTB64) specifies that the certificate is stored in ASCII format. 

TSS EXPORT(CTGUSER) DIGICERT(CTGCERT) DSN(’CTGUSER.PERSONAL.CERT’) 
FORMAT(CERTB64)