How to add a client and root certificate to CA Top Secret and then to a keyring?

Document ID : KB000015360
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

How to add a client certificate and root certificate pair to CA Top Secret Security file and then to a keyring?

 

Question:

How to add a client certificate and root certificate pair to CA Top Secret Security file and then to a keyring?

Answer:

Example:

 

 

 

The following datasets contain the certs:

 

ROOT.PUBLIC.CERTS.PEM (contains the root cert)

 

CLIENT.PUBLIC.CERTS.P12 (contains the client cert and password protected ‘mandolin’)

 

 

 

1. ADD CERTS THE SECURITY FILE.

 

TSS ADD(CERTAUTH) DIGICERT(CAMSRV) DCDSN(ROOT.PUBLIC.CERTS.PEM) TRUST

 

TSS ADD(CERTSITE) DIGICERT(CAMSRVC) DCDSN(CLIENT.PUBLIC.CERTS.P12) PKCSPASS(MANDOLIN) TRUST

 

 

 

2. Create keyrings for users that dont already have the keyring:

 

TSS ADD(USERA) KEYRING(MESMRING)

 

TSS ADD(USERB) KEYRING(MESMRING)

 

TSS ADD(USERC) KEYRING(MESMRING)

 

 

 

3. Connect root and personal certs to the keyring of the user:

 

 

 

TSS ADD(USERB) KEYRING(MESMRING) RINGDATA(CERTSITE,CAMSRVC) USAGE(PERSONAL) DEFAULT   

 

TSS ADD(USERB) KEYRING(MESMRING) RINGDATA(CERTAUTH,CAMSRV) USAGE(CERTAUTH)   

 

 

 

TSS ADD(USERA) KEYRING(MESMRING) RINGDATA(CERTSITE,CAMSRVC) USAGE(PERSONAL) DEFAULT   

 

TSS ADD(USERA) KEYRING(MESMRING) RINGDATA(CERTAUTH,CAMSRV) USAGE(CERTAUTH)   

 

 

 

TSS ADD(USERC) KEYRING(MESMRING) RINGDATA(CERTSITE,CAMSRVC) USAGE(PERSONAL) DEFAULT   

 

TSS ADD(USERC) KEYRING(MESMRING) RINGDATA(CERTAUTH,CAMSRV) USAGE(CERTAUTH)   

 

 

 

4. Authorize for digital certificates:

 

 

 

TSS PER(USERA) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)

 

TSS PER(USERB) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)

 

TSS PER(USERC) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)

 

 

 

Without this permission, users will not be authorized to use digital certificates.

 

 

 

5. Make sure when specifying the keyring name to the application it matches the keyring name exactly. The digicert name and keyring name is case sensitive.