In this example a company wants to allow its employees to make FTP requests from z/OS to three FTP servers out on the Internet. The CA certificates for the three FTP servers were already obtained and reside in the following three data sets: 'FTPD.CACERT1', 'FTPD.CACERT2', and 'FTPD.CACERT3'.
KEYRING / SHAREID.RING LAST CHANGED BY USER002 ON 10/24/16-11:54
The following certificates are connected to this key ring:
CERTDATA record Label Usage
FTPD.CACERT1 CA for FTP Server 1 CERTAUTH
FTPD.CACERT2 CA for FTP Server 2 CERTAUTH
FTPD.CACERT3 CA for FTP Server 3 CERTAUTH
Authorize access to the shared key ring for the ring owner (SHAREID) and for the z/OS users (USER01 and USER02) who need to communicate with the external FTP servers. Do this by administering a profile in either the FACILITY or the RDATALIB class.
Using the FACILITY class:
RECKEY IRR ADD( DIGTCERT.LISTRING UID(***USER001) SERVICE(UPDATE) ALLOW)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(***USER002) SERVICE(UPDATE) ALLOW)
Using the RDATALIB class:
RECKEY SHAREID ADD( RING01.LST UID(***USER001) SERVICE(READ) ALLOW)
RECKEY SHAREID ADD( RING01.LST UID(***USER002) SERVICE(READ) ALLOW)
Configure the FTP client to use the shared key ring by specifying its fully qualified name for the KEYRING directive syntax: KEYRING ringowner/ringname: