How to setup CA TOP SECRET Digital Certificates with Tivoli Access Manager for Business Integration v4.1?

Document ID : KB000027548
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

What are the steps to setup digital certificates for Tivolie Access Manager v4.1?

 

Answer:

 

DESCRITION
The section below references information from the "Tivoli Access Manager for Business Integration v4.1 Workshop Host Edition Hands-on Lab" IBM document authored by Jon Harry, dated January 2003. In each step of the document that requires RACF commands we show the corresponding eTrust CA-Top Secret commands below.

  1. In section 2.8 (Configuring LDAP PROXY information), issue these commands to set the LDAP BIND masking key:

    TSS ADD(SDT) KEYSMSTR(LDAP.BINDPW.KEY)-
    DCENCRY(123456789A123456) KEYENCRY

    Issue the following commands to define a default for the IRR.PROXY.DEFAULTS facility:

    TSS ADDTO(SDT) PRXLDAPHST('LDAP://SOME.LDAP.HOST:389')
    PRXBINDDN('cn=root') PRXBINDPW(password)
  2. In section 3.3 (Create PDACLD user), issue these commands to set up the group ACLDGRP and user PDACLD: TSS CRE(ACLDGRP)

    TYPE(GROUP) NAME(ACLDGRP) GID(2) DEPT(dept)

    TSS CRE(PDACLD) NAME('PDACLD DAEMON') PASS(NOPW,0) -
    GROUP(ACLDGRP) UID(0) DFLTGRP(ACLDGRP) -
    HOME('etc/PolicyDirector/home/pdacld') -
    OMVSPGM('/bin/sh') FAC(STC)
  3. In section 3.4 (Configure in-memory policy cache), issue these commands to define the AM shared memory (RZPDIR) and allow PDACLD to update it:

    TSS PER(PDACLD) IBMFAC(IRR.RCACHESERV.RZPDIR) ACC(UPDATE)
  4. Section 3.6 (Define Digital Certificate Facilities to RACF) describes seven RDEFINE commands that define IRR.DIGTCERT.xxxxxxxx FACILITY resources to RACF. Only one command is needed for eTrust CA-TOP SECRET.

    TSS ADD(owningacid) IBMFAC(IRR.DIGTCERT)

  5. In section 3.7 (Permit access Digital Certificate Facilities) issue these commands to set up the FACILITY resources needed so that PDACLD can acquire the digital certificate and key needed to perform mutual authentication with the Policy Server:
    TSS PER(PDACLD) IBMFAC(IRR.DIGTCERT.LIST) ACC(READ)

    Optionally, set up access to the FACILITY resources shown below if certificate administration privileges are required by a user who does not have the SECURITY attribute:

    TSS PER(PDACLD) IBMFAC(IRR.DIGTCERT.ADD) ACC(READ)

    TSS PER(PDACLD) IBMFAC(IRR.DIGTCERT.CONNECT) ACC(READ)

    TSS PER(PDACLD) IBMFAC(IRR.DIGTCERT.GEN) ACC(READ)

  6. In section 3.10 (Testing Policy Director Authorization Services) issue the following command to set up the IRR.AZNSERVICE facility:

    TSS PER(ZOSUSER) IBMFAC(IRR.AZNSERVICE) ACC(READ)

  7. In section 4.2 (Add User for Daemon processes) issue the following commands to define the Tivoli Access Manager for Business Integration user:

    TSS CRE(PDMQ) NAME('PDMQ SERVER') DEPT(dept) PASS(NOPW, 0) UID(0)

    DFLTGRP(?) GROUP(?) FAC(STC)
  8. In section 4.3 (Configure system for SURROGAT class) issue the following commands to set up required SURROGAT and FACILITY resources:

    TSS PER(PDMQ) IBMFAC(BPX.SRV.) ACC(READ)

    TSS PER(PDMQ) IBMFAC(BPX.SERVER) ACC(READ)

    If no OMVS default user and group are defined you can set them up using commands such as these:

    TSS MODIFY DFLTGRP(OMVSDGRP)

    TSS MODIFY DFLTUSR(OEDFLT)

    In the eTrust CA-TOP SECRET TSSPARMS add :

    DFLTGRP(OMVSDGRP)

    DFLTUSR(OEDFLT)

    TSS CRE(OEDFLT) NAME('OMVS DEFAULT USERID') TYPE(USER)- PASS(NOPW, 0) DEPT(dept) -

    UID(99999999) HOME('/') OMVSPGM('/bin/sh')

    TSS CRE(OMVSDGRP) NAME('OMVSDGRP') TYPE(GROUP) PASS(NOPW, 0) - DEPT(dept) UID(99999999) HOME(/) OMVSPGM('/bin/sh')

    TSS ADD(OEDFLT) GROUP(OMVSDGRP)

  9. In section 4.4 (Permit PDMQ User to perform Digital Certificate operations) issue the following commands to allow user PDMQ to manipulate digital certificates:

    TSS PER(PDMQ) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)

  10. In section 4.7 (Configure Certificate Authority, Certificates and Keyrings) issue this command to generate the Certificate Authority certificate:

    TSS GENCERT(CERTAUTH) DIGICERT(ROOTCA) LABLCERT(' Root CA ') -

    SUBJECTDN('CN=" Root CA ' O="Company Name" C=US')

    To create user certificates for WebSphere MQ users issue:

    TSS GENCERT(ZOSUSER) DIGICERT(ZOSCERT) LABLCERT(ZOSUSER) -

    SUBJECTDN('CN="ZOSUSER" O="Company Name" C=US') -

    SIGNWITH(CERTAUTH, ROOTCA) KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN)

    If necessary, assign TRUST status to the certificate as follows: Export the certificates in order to exchange them:

    TSS EXPORT(ZOSUSER) DIGICERT(ZOSCERT) DCDSN('ZOSCERT.CERT')

    TSS EXPORT(CERTAUTH) DIGICERT(ROOTCA) DCDSN('CERTAUTH.CERT')

  11. In section 4.7.5 (Import Distributed Certificates into Host environment) issue these commands to import the CA certificate and user certificate:
    TSS ADD(ZOSUSER) DIGICERT(MQAPP1) LABLCERT(MQAPP1) -

    DCDSN('mvs.dataset.name') TRUST

    TSS ADD(CERTAUTH) DIGICERT(TPKICA) LABLCERT(TPKICA) -
    DCDSN('mvs.dataset.name') TRUST

  12. In section 4.7.6 (Create keyrings) issue these commands to create keyrings for PDMQ and each WebSphere MQ user:

    TSS ADD(ZOSUSER) KEYRING(ZOSURING) LABLRING(drq.pdmq.keyring)
    TSS ADD(PDMQ) KEYRING(PDMQRING) LABLRING(drq.pdmq.keyring)

  13. In section 4.7.7 (Assign certificates to keyrings) issue this command to connect a user certificate to the user's own keyring:

    TSS ADD(ZOSUSER) KEYRING(ZOSURING) ?
    DIGICERT(ZOSUSER, MQAPP1) USAGE(PERSONAL)

    Then connect the CA certificates to the PDMQ keyring:

    TSS ADD(PDMQ) KEYRING(PDMQRING) -
    DIGICERT(CERTAUTH, ROOTCA) USAGE(CERTAUTH)

    TSS ADD(PDMQ) KEYRING(PDMQRING) -
    DIGICERT(CERTAUTH, TPKICA) USAGE(CERTAUTH)

    Connect the certificates of any users that need to receive encrypted messages to the PDMQ keyring (as site certificates):

    TSS ADD(ZOSUSER) KEYRING(ZOSURING) -
    DIGICERT(owningacid, digicert) USAGE(CERTSITE)

    TSS ADD(ZOSUSER) KEYRING(ZOSURING) RINGNAME(drq.pdmq.keyring) DIGICERT(ZOSUSER, MQAPP1) USAGE(CERTSITE)

    The following section references information from Appendix B in the "Policy Director Authorization Services for z/OS and OS/390 V1R2.0 * Customization and Use" manual. It runs from Page 67 through Page 72. Wherever RACF administrative commands are documented the corresponding eTrust CA-TOP SECRET commands are shown here.

    On Page 67, Step 2 of "Configuration Setup" where the Policy Director Certificate Authority certificate is added, issue the following eTrust CA-TOP SECRET commands:

    TSS ADD(CERTAUTH) DIGICERT(HPDIRCA) - DCDSN('sequential_dataset_containing_certificate') -

    HITRUST LABELCERT('HPDPolicy Director CA')

    On Page 67, Step 3 of "Configuration Setup" where a keyring for the user invoking pdacldcfg is inserted, issue the following eTrust CA-TOP SECRET commands:
    TSS ADD(userid_invoking_pdacldcfg) KEYRING(CFGRING) -LABLRING('HPDPDACLDCFGKeyRing')

    On Page 67, Step 4 of "Configuration Setup", where the Policy Director Certificate Authority certificate is connected to the HPDPDACLDCFGKeyRing keyring, issue the following eTrust CA-TOP SECRET command:

    TSS ADD(userid_invoking_pdacldcfg)-
    RINGDATA(CERTAUTH, HPDIRCA)-
    KEYRING(CFGRING)-
    LABLRING('HPDPDACLDCFGKeyRing')


    On Page 67, Steps 5(a) and 5(b) of "Configuration Setup", where a certificate request is created for the pdacld server, issue these eTrust CA-TOP SECRET commands:

    TSS GENCERT(PDACLD) DIGICERT(HPDPDU)-
    SUBJECTN('CN="pdacld-hostname" O="Policy Director" C="US")
    LABELCERT('HPDPD Server') KEYUSAGE(HANDSHAKE)

    On Page 68, Steps 1-4 for completing the pdacld configuration in section "Configuration Setup", issue the following eTrust CA-TOP SECRET commands:

    TSS ADD(PDACLD) KEYRING(HPDPRING)-
    LABLRING('HPDPolicy Director CA') -
    TSS ADD(PDACLD) KEYRING(HPDPRING) RINGDATA(CERTAUTH,HPDIRCA)- USAGE(CERTAUTH)

    TSS ADD(PDACLD) DIGICERT(HPDPS)- DCDSN('signed_certificate_dataset') - LABLCERT(?HPDPD Server') TRUST

    TSS ADD(PDACLD) KEYRING(HPDPRING) RINGDATA(PDACLD,HDPDPS) ? DEFAULT USAGE(PERSONAL)

    On Page 69, Steps 2(a)-2(d) of section "Unconfiguring pdacld", issue the following eTrust CA-TOP SECRET commands:

    DELETE PDACLD DIGICERT(HPDPS)
    TSS REM(PDACLD) DIGICERT(HPDPS)

    DELETE CERTAUTH DIGICERT(HPDPCA)
    TSS REM(CERTAUTH) DIGICERT(HPDPCA)

    DELETE userid_invoking_pdacldcfg KEYRING(HPDPRING)
    TSS REM(PDACLD) KEYRING(HPDPRING)

    DELETE PDACLD KEYRING(HPDPRING)
    TSS REM(PDACLD) KEYRING(HPDPRING)