I have the IBM WAS Server product that includes a REXX EXEC BBOWBRAC(Revised Version) that generates RACF setup definitions for external security. Is there is an CA ACF2 equivalent setup available?

Document ID : KB000050852
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

There are two IBM REXX EXECs that generate RACF setup definitions for the IBM WAS Server product. There are two CA ACF2 equivalent batch jobstreams that will setup the CA ACF2 equivalent commands. There are two different versions of the same REXX.

EXECs a GA version and a Revised version.

  REXX EXEC  Version     ACF2 Batch Jobstream
  ---------  -------     --------------------
  BBOSBRAC     GA             ACFWAS1G*   
  BBOWBRAC     GA             ACFWAS2G* 
  BBOSBRAC   Revised          ACFWAS1R*   
  BBOWBRAC   Revised          ACFWAS2R

* Note: Available in a separate Knowledge Document.

Solution:

The CA ACF2 ACFWAS2R jobstream that is equivalent to the RACF BBOWBRAC REXX EXEC follows.

  //ACFOWAS2 JOB 
  //*============================================================= 
  //* 
  //*                   A C F O W A S 2 
  //* 
  //*============================================================= 
  //* 
  //*   LICENSE: THIS CODE IS PART OF THE CA-ACF2 SYSTEM, 
  //*   A LICENSED PROGRAM PRODUCT OF CA. 
  //*   Copyright (C) 2007 CA. All rights reserved. 
  //* 
  //*============================================================= 
  //* 
  //* This is a sample job which provides the eTrust CA-ACF2 
  //* commands for WebSphere Application Server setup in an 
  //* eTrust CA-ACF2 secured environment. bbowbrac equivalent. 
  //* 
  //* JOB STEP SUMMARY
  //*
  //* Step 1 ACFLID1  - Define logonids 
  //* Step 2 ACFOMVS2 - SET OMVS FILEPROC SETTING 
  //* Step 3 ACFGSO3  - ACF2 CONTROL GSO UPDATES 
  //* Step 4 ACFRULE4 - SETUP RESOURCE RULES 
  //* Step 5 ACFCERT5 - GENERATE CERTIFICATES FOR SSL SET-UP 
  //* Step 6 ACFKEYR6 - CREATE THE KEYRINGS 
  //* Step 7 ACFCONN7 - CONNECT CERTIFICATES TO THE KEYRINGS 
  //* Step 8 ACFCONN8 - CONNECT CERTIFICATES TO THE KEYRINGS 
  //*
  //*============================================================= 
  //* NOTES: 
  //* ------ 
  //* 1) Please read through the comments carefully before 
  //*    running this job to determine what commands will be 
  //*    needed to setup your own customized environment. 
  //* 
  //* 2) All steps have been coded with PGM=IKJEFT01 except the 
  //*    last step ACFCONN8 which is coded with PGM=IEFBR14. Please 
  //*    review the notes in this job steps and INSERT the required
  //*    Commercial Certificate Authority(CA) CERTAUTH certificates
  //*    before changing this step to PGM=IKJEFT01. 
  //* 
  //* 3) All steps should finish with a return code of zero. 
  //* 
  //* 4) Please review the results of this job carefully. 
  //* 
  //* This batch job is provided for your convenience. A complete 
  //* write-up on setting up UNIX SYSTEM SERVICES in an eTRust CA-ACF2 
  //* secured environment can be found in the eTrust CA-ACF2 
  //* Security for z/OS Administrators Guide. 
  //*============================================================= 
  //* Step 1  - Define logonids 
  //*------------------------------------------------------------- 
  //* 
  //* This step defines the userid for the Asynch Admin task 
  //* and the WAS unauthenticated logonids. 
  //*============================================================= 
  //ACFLID1 EXEC PGM=IKJEFT01,REGION=0K 
  //SYSPRINT DD SYSOUT=* 
  //SYSTSPRT DD SYSOUT=* 
  //SYSUDUMP DD SYSOUT=* 
  //SYSTSIN  DD * 
  ACF 
  * Adding default asynch admin task userid
  *
  SET LID
  INSERT WSADMSH GROUP(BNCFG) UID(2504) NAME(WAS Asynch Admn Task) -
  HOME(/var/zWebSphereOEM/V7R0/home/BNCFG) PROGRAM(/bin/sh)  STC
  * Adding WAS unauthenticated user ID
  *
  INSERT WSGUEST GROUP(BNGUESTG) UID(2402) NAME(WAS DEFAULT USER) -
  HOME(/var/zWebSphereOEM/V7R0/home/BNGUESTG) PROGRAM(/bin/sh)  STC
  * 
  END
  //* 
  //*============================================================= 
  //* Step 2  - SET OMVS FILEPROC SETTING 
  //*------------------------------------------------------------- 
  //* 
  //* This step changes the OMVS FILEPROC setting to allow for 
  //* 10000 concurrently open files. 
  //*============================================================= 
  //ACFOMVS2 EXEC PGM=IKJEFT01,REGION=0K 
  //SYSPRINT DD SYSOUT=* 
  //SYSTSPRT DD SYSOUT=* 
  //SYSUDUMP DD SYSOUT=* 
  //SYSTSIN  DD * 
  ACF
  *  Allow 10000 concurrently open files.
  *
  SET PROFILE(USER) DIV(OMVS)
  CHANGE WSSRU1 FILEPROC(10000) 
  END
  //*
  //*============================================================= 
  //* Step 3  - ACF2 CONTROL GSO UPDATES 
  //*------------------------------------------------------------- 
  //*
  //* This step does the following:
  //* 
  //* - Create STARTED task profiles for each runtime server 
  //*   identity Define User Identities for the runtime 
  //*   addresses/tasks
  //* - Defining SERVER CB.cluster.generic_server. 
  //*   Used for determining if a servant region can initialize.
  //* - Activates additional RACF classes used by WebSphere for 
  //*   z/OS security.
  //* - APPL class setup. Used to control client access to a 
  //*   WebSphere Application Server for z/OS cell or group of 
  //*   cells.
  //* - EJB Role Access.  Needed if SAF Authorization desired.
  //* 
  //*============================================================= 
  //*                Optional Modification Notes 
  //*============================================================= 
  //*
  //* Records that are created by INSERT or GENCERT commands include 
  //* a sample one- to eight-character suffix that can be changed by 
  //* sites as needed. For example, in the following 3 commands, cbind, 
  //* bbncert and 7dmnb are suffixes:
  //* 
  //* INSERT CLASMAP.cbind 
  //* GENCERT CERTAUTH.bbncert
  //* INSERT STC.7dmnb
  //* 
  //* Note: If the any of the suffixes are changed, any references to 
  //* that suffix must also be changed in subsequent command references 
  //* as well.
  //* 
  //* The WebSphere security scheme utilizes 3 resource classes SERVER, 
  //* CBIND and APPL that normally default to the three-byte CA ACF2 
  //* resource type code SAF. To facilitate administration and 
  //* management of resource rules it is advisable to map these 
  //* resources to a unique TYPE code rather than SAF. This command 
  //* stream maps the 3 resource classes SERVER,CBIND and APPL to SRV, 
  //* CBD and APL respectively asshown by the following three ACF2 GSO 
  //* CLASMAP records:
  //*
  //* INSERT CLASMAP.server RESOURCE(SERVER) RSRCTYPE(srv) ENTITYLN(41)
  //* INSERT CLASMAP.cbind  RESOURCE(CBIND)  RSRCTYPE(cbd) ENTITYLN(41)
  //* INSERT CLASMAP.appl   RESOURCE(APPL)   RSRCTYPE(apl) ENTITYLN(8)
  //* 
  //* Note: Sites should review these resource TYPE codes SRV, CBD and 
  //* APL to insure that there are no conflicts. These type codes can 
  //* be changed to other values to meet a site's needs, however if the 
  //* TYPE codes arechanged, a corresponding change needs to be done to 
  //* the RECKEY commands that reference the TYPE codes.
  //*
  //*============================================================= 
  //*============================================================= 
  //ACFGSO3 EXEC PGM=IKJEFT01,REGION=0K 
  //SYSPRINT DD SYSOUT=* 
  //SYSTSPRT DD SYSOUT=* 
  //SYSUDUMP DD SYSOUT=* 
  //SYSTSIN  DD * 
  ACF
  * Assigning userids to started tasks. 
  * Assign async admin ID to started task
  *
  SET CONTROL(GSO)
  INSERT STC.7adm  STCID(BBN7ADM)  logonid(WSADMSH)
  INSERT STC.7dmnb STCID(BBN7DMNB) logonid(BNACRU)
  INSERT STC.7acr  STCID(BBN7ACR)  logonid(BNACRU)
  INSERT STC.s001a STCID(BBNS001A) logonid(BNACRU)
  INSERT STC.s001s STCID(BBNS001S) logonid(BNACRU)
  *
  * Defining SERVER CB.cluster.generic_server. 
  * Used for determining if a servant region can initialize.
  *
  * Override ACF2 default internal SAFDEF: SERVER      SAF     41
  *
  INSERT CLASMAP.server RESOURCE(SERVER) RSRCTYPE(srv) ENTITYLN(41)
  * Activating classes needed only for z/OS security. 
  * Override ACF2 default internal SAFDEF: CBIND       SAF     41
  *
  INSERT CLASMAP.cbind RESOURCE(CBIND) RSRCTYPE(cbd) ENTITYLN(41)
  *
  * APPL class setup.
  * Override ACF2 default internal SAFDEF: APPL        SAF     8 
  *
  INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(apl) ENTITYLN(8)
  *
  * Setting up EJBRoles Profiles for admin roles when using SAF 
  * authorization
  * 
  CHANGE INFODIR TYPES(R-REJB) ADD
  CHANGE INFODIR TYPES(R-RSRV) ADD
  CHANGE INFODIR TYPES(R-RCBD) ADD
  CHANGE INFODIR TYPES(R-RAPL) ADD
  *
  * Refresh GSO STC, CLASMAP and updated INFODIR records
  *
  F ACF2,REFRESH(STC) 
  
  //* 
  //*============================================================= 
  //* Step 4  - SETUP RESOURCE RULES 
  //*=============================================================
  //* This step does the following:
  //* 
  //* - Permitting SERVER class access. 
  //* 
  //* - AsynchBeans for z/OS, require servants to have access to 
  //*   WLM services. Authorize servants to use WLM Services. 
  //* 
  //* - Define IRR resource permissions to work with certificates. 
  //* 
  //* - Set permissions for CLASS(APPL).
  //* 
  //* - Setup resource CLASS CBIND which us used to determine
  //*   if a client can "BIND" (access) a controller region. 
  //* 
  //* - Defining EJB roles for SAF access.
  //* 
  //* - Creating EnableTrustedApplications profile used for: 
  //*   Allowing applications to perform operations normally 
  //*   reserved for privileged users. 
  //*============================================================= 
  //*                 REQUIRED Modification Notes 
  //*============================================================= 
  //* Notes: 
  //*
  //* 1) The UID string in rules that are created and modified 
  //*    must be updated to conform to a site's UID string for 
  //*    the logonids as identified by: 
  //*    "UID(UID string for BNSRVG)". 
  //* 2) There are logonids for WOEMADM, WSGUEST, BNACRU, WSSRU1, 
  //*    WSADMSH.
  //*
  //*    There are no logonids for RACF GROUPs BNGUESTG, BNCFG and 
  //*    BNSRVG. Any PERMITs for these GROUPS are translated to ACF2 
  //*    rule entries for each logonid in the GROUP.
  //*
  //*    Group BNGUESTG includes logonid WSGUEST.
  //*    Group BNCFG includes logonids WOEMADM, BNACRU, WSSRU1, and 
  //*                                  WSADMSH.
  //*    Group BNSRVG includes logonid WSSRU1.
  //*============================================================= 
  //ACFRULE4 EXEC PGM=IKJEFT01,REGION=0K 
  //SYSPRINT DD SYSOUT=* 
  //SYSTSPRT DD SYSOUT=* 
  //SYSUDUMP DD SYSOUT=* 
  //SYSTSIN  DD * 
  ACF
  * Permitting SERVER class access. 
  *
  SET RESOURCE(SRV)
  RECKEY CB ADD( -.BBNC001.- UID(UID string for  WSSRU1) -
  SERVICE(READ) ALLOW)
  RECKEY CB ADD( -.BBNC001ADJUNCT.- UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  RECKEY CB ADD( -.BBNC001.- UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  *
  F ACF2,REBUILD(SRV)
  * 
  * Authorize servants to use WLM Services
  *
  SET RESOURCE(FAC)
  RECKEY BPX ADD(WLMSERVER UID(UID string for  WSSRU1) -
  SERVICE(READ) ALLOW)
  *
  * Define permissions to work with certificates
  *
  RECKEY IRR ADD(DIGTCERT.LIST UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY IRR ADD(DIGTCERT.LIST UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  RECKEY IRR ADD(DIGTCERT.LIST UID(UID string for WSSRU1) -
  SERVICE(READ) ALLOW)
  RECKEY IRR ADD(DIGTCERT.LIST UID(UID string for WSADMSH) -
  SERVICE(READ) ALLOW)
  RECKEY IRR ADD(DIGTCERT.LISTRING UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY IRR ADD(DIGTCERT.LISTRING UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  RECKEY IRR ADD(DIGTCERT.LISTRING UID(UID string for WSSRU1) -
  SERVICE(READ) ALLOW)
  RECKEY IRR ADD(DIGTCERT.LISTRING UID(UID string for WSADMSH) -
  SERVICE(READ) ALLOW)
  F ACF2,REBUILD(FAC)
  * 
  * Sets permissions for CLASS(APPL) 
  *
  SET RESOURCE(APL)
  RECKEY BBNBASE ADD( UID(UID string for WSGUEST) -
  SERVICE(READ) ALLOW)
  F ACF2,REBUILD(APL)
  *
  * Define and permit CB.BIND.<cluster name> profile to CBIND class
  *
  SET RESOURCE(cbd)
  RECKEY CB ADD( BIND.BBNBASE.- UID(UID string for WOEMADM) -
  SERVICE(DELETE) ALLOW)
  RECKEY CB ADD( BIND.BBNBASE.- UID(UID string for BNACRU) -
  SERVICE(DELETE) ALLOW)
  RECKEY CB ADD( BIND.BBNBASE.- UID(UID string for WSSRU1) -
  SERVICE(DELETE) ALLOW)
  RECKEY CB ADD( BIND.BBNBASE.- UID(UID string for WSADMSH) -
  SERVICE(DELETE) ALLOW)
  F ACF2,REBUILD(cbd)
  *
  * Defining roles for SAF access
  *
  SET RESOURCE(EJB)
  RECKEY BBNBASE ADD( adminsecuritymanager UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( auditor UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( administrator UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( administrator UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( administrator UID(UID string for WSSRU1) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( administrator UID(UID string for WSADMSH) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingRead UID(UID string for WSGUEST) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingWrite UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingWrite UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingWrite UID(UID string for WSSRU1) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingWrite UID(UID string for WSADMSH) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingCreate UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingCreate UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingCreate UID(UID string for WSSRU1) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingCreate UID(UID string for WSADMSH) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingDelete UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingDelete UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingDelete UID(UID string for WSSRU1) -
  SERVICE(READ) ALLOW)
  RECKEY BBNBASE ADD( CosNamingDelete UID(UID string for WSADMSH) -
  SERVICE(READ) ALLOW)
  F ACF2,REBUILD(EJB)
  *
  * Creating EnableTrustedApplications profile 
  * 
  SET RESOURCE(FAC)
  RECKEY BBO ADD( TRUSTEDAPPS.BBNBASE.BBNC001 UID(UID string for WOEMADM) -
  SERVICE(READ) ALLOW)
  RECKEY BBO ADD( TRUSTEDAPPS.BBNBASE.BBNC001 UID(UID string for BNACRU) -
  SERVICE(READ) ALLOW)
  RECKEY BBO ADD( TRUSTEDAPPS.BBNBASE.BBNC001 UID(UID string for WSSRU1) -
  SERVICE(READ) ALLOW)
  RECKEY BBO ADD( TRUSTEDAPPS.BBNBASE.BBNC001 UID(UID string for WSADMSH) -
  SERVICE(READ) ALLOW)
  F ACF2,REBUILD(FAC) 
  END
  //*
  //*============================================================= 
  //* Step 5  - GENERATE CERTIFICATES FOR SSL SET-UP 
  //*=============================================================
  //* 
  //* This step sets up a WAS Test Certificate Authority for use 
  //* for creating all certificates needed on both client and 
  //* servers, for test purposes. Three certifictes are created:
  //*
  //* - Create SSL Certificate Authority certificate which will be 
  //*   used to sign client and server certs.
  //* 
  //* - Generating certificate for WebSphere controller.
  //* 
  //* - Generating certificate for Location Service Daemon 
  //* 
  //*============================================================= 
  //*               Optional Modification Notes 
  //*============================================================= 
  //* - Define IRR resource permissions to work with certificates. 
  //* Records that are created by GENCERT commands include a sample 
  //* one- to eight-character suffix that can be changed by sites as 
  //* needed. 
  //*
  //* For example, in the following 3 commands, cbind, bbncert and 
  //* 7dmnb are suffixes:
  //* 
  //* INSERT CLASMAP.cbind 
  //* GENCERT CERTAUTH.bbncert
  //* INSERT STC.7dmnb
  //* 
  //* Note: If the any of the suffixes are changed, any references 
  //* to that suffix must also be changed in subsequent command 
  //* references as well.
  //* 
  //*============================================================= 
  //ACFCERT5 EXEC PGM=IKJEFT01,REGION=0K 
  //SYSPRINT DD SYSOUT=* 
  //SYSTSPRT DD SYSOUT=* 
  //SYSUDUMP DD SYSOUT=* 
  //SYSTSIN  DD * 
  ACF
  *
  * Create SSL Certificate Authority certificate
  * This will be used to sign client and server certs
  *
  GENCERT CERTAUTH.bbncert LABEL(WebSphereCA) EXPIRE(12-31-2018) -
  SUBJSDN(cn='WAS CertAuth for Security Domain' ou='BBNBASE')
  *
  * Generating certificate for WebSphere controller 
  *
  GENCERT BNACRU.CERT LABEL(DefaultWASCert.BBNBASE) -
  SUBJ(CN='TCPIPSYT.CIS.CAT.COM' O='IBM' OU='BBNBASE') -
  SIGNWITH(certauth Label(WebSphereCA)) -
  EXPIRE(12-31-2018)
  *
  * Generating certificate for Location Service Daemon 
  *
  GENCERT BNACRU.CERT2 LABEL(DefaultDaemonCert.BBNBASE) - 
  SUBJ(CN='TCPIPSYT.CIS.CAT.COM' O='IBM' OU='BBNBASE') -
  SIGNWITH(certauth Label(WebSphereCA)) -
  EXPIRE(12-31-2018)
  END
  //* 
  //*============================================================= 
  //* Step 6  - CREATE THE KEYRINGS 
  //*------------------------------------------------------------- 
  //* 
  //* This step creates the following KEYRINGs:
  //* - WebSphere controller keyring
  //* - WebSphere servant keyring
  //* - SSL keyring for WebSphere administrator user id 
  //* - SSL keyring for WebSphere asynch administrator
  //* - Root keyring
  //* - Signers keyring
  //* 
  //*============================================================= 
  //ACFKEYR6 EXEC PGM=IKJEFT01,REGION=0K 
  //SYSPRINT DD SYSOUT=* 
  //SYSTSPRT DD SYSOUT=* 
  //SYSUDUMP DD SYSOUT=* 
  //SYSTSIN  DD * 
  ACF
  * Create WebSphere controller keyring
  *
  SET PROFILE(USER) DIV(KEYRING)
  INSERT BNACRU.ring RINGNAME(WASKeyring.BBNBASE)
  * Create WebSphere servant keyring
  *
  INSERT WSSRU1.ring RINGNAME(WASKeyring.BBNBASE)
  * Creating SSL keyring for WebSphere administrator user id
  *
  INSERT WOEMADM.ring RINGNAME(WASKeyring.BBNBASE)
  * Creating SSL keyring for WebSphere asynch administrator 
  *
  INSERT WSADMSH.ring RINGNAME(WASKeyring.BBNBASE)
  * Creating Root and Signers keyrings 
  *
  INSERT BNACRU.rootring RINGNAME(WASKeyring.BBNBASE.Root)
  INSERT BNACRU.sgnring RINGNAME(WASKeyring.BBNBASE.Signers)
  END
  //* 
  //*============================================================= 
  //* Step 7  - CONNECT CERTIFICATES TO THE KEYRINGS 
  //*------------------------------------------------------------- 
  //* 
  //* This step performs the following CONNECTs:
  //* 
  //* - Connect controller certificate to controller keyring
  //* - Connect WebSphere CA certificate to controller keyring
  //* - Connecting Daemon Certificate to the keyring 
  //* - Connect WAS CA Certificate to servant keyring
  //* - Connect WAS CA Certificate to WebSphere administrator 
  //*   keyring
  //* - Connect WAS CA Certificate to WebSphere asynch administrator 
  //*   keyring
  //* - Connect root CA certificates to the root keyrings
  //* - Connect default signers to the default signers keyring 
  //* 
  //*============================================================= 
  //ACFCONN7 EXEC PGM=IKJEFT01,REGION=0K 
  //SYSPRINT DD SYSOUT=* 
  //SYSTSPRT DD SYSOUT=* 
  //SYSUDUMP DD SYSOUT=* 
  //SYSTSIN  DD * 
  ACF
  * Connect controller certificate to controller keyring 
  CONNECT CERTDATA(BNACRU.CERT) KEYRING(BNACRU.ring) -
  USAGE(PERSONAL) DEFAULT
  * Connect WebSphere CA certificate to controller keyring 
  CONNECT CERTDATA(CERTAUTH.bbncert) KEYRING(BNACRU.ring) -
  USAGE(CERTAUTH)
  * Connecting Daemon Certificate to the keyring
  CONNECT CERTDATA(BNACRU.CERT2) KEYRING(BNACRU.ring) -
  USAGE(PERSONAL) DEFAULT
  * Connect WAS CA Certificate to servant keyring
  CONNECT CERTDATA(CERTAUTH.bbncert) KEYRING(WSSRU1.ring) -
  USAGE(CERTAUTH)
  * Connect WAS CA Certificate to WebSphere administrator keyring
  CONNECT CERTDATA(CERTAUTH.bbncert) KEYRING(WOEMADM.ring) -
  USAGE(CERTAUTH)
  * Connect WAS CA Certificates to WebSphere asynch administrator keyring
  CONNECT CERTDATA(CERTAUTH.bbncert) KEYRING(WSADMSH.ring) -
  USAGE(CERTAUTH)
  * Connect root CA certificates to the root keyrings 
  CONNECT CERTDATA(CERTAUTH.bbncert) KEYRING(BNACRU.rootring) -
  USAGE(CERTAUTH)
  * Connect default signers to the default signers keyring 
  CONNECT CERTDATA(CERTAUTH.bbncert) KEYRING(BNACRU.sgnring) -
  USAGE(CERTAUTH)
  END
  //*
  //*============================================================= 
  //* Step 8  - CONNECT COMERCIAL CA CERTIFICATES TO THE KEYRINGS 
  //*------------------------------------------------------------- 
  //* 
  //* This step has been coded with PGM=IEFBR14. After reviewing the
  //* note before and INSERTing the required Commercial Certificate 
  //* Authority(CA) CERTAUTH certificates you can change this to 
  //* PGM=IKJEFT01 and un-comment the CONNECT statements to CONNECT
  //* the Commercial Certificate Authority(CA) CERTAUTH certificates
  //* that your site is using.
  //*
  //* Note: This step connects Common Commercial Certificate 
  //*    Authority(CA) CERTAUTH certificates are required for four of 
  //*    the following KEYRINGs .
  //* 
  //* WebSphere Controller Keyring WASKeyring.BBNBASE for ID(BNACRU)
  //* WebSphere Servant Keyring WASKeyring.BBNBASE for ID(WSSRU1)
  //* WebSphere Administrator User IDSSL Keyring WASKeyring.BBNBASE 
  //*   for ID(WOEMADM)
  //* WebSphere Asynch Administrator SSL Keyring WASKeyring.BBNBASE 
  //*   for ID(WSADMSH)
  //* 
  //* The are a number of common Commercial CAs. By default ACF2 does 
  //* not include the common Commercial CA CERTAUTH certificates in the 
  //* ACF2 INFOSTG database. Depending on a site's client/server SSL 
  //* Setup some of these CERTAUTHcertificates need to be connected to 
  //* the above Keyrings. 
  //* 
  //* Common Commercial CAs
  //* -----------------------------
  //* Verisign Class 3 Primary CA
  //* Verisign Class 1 Primary CA
  //* RSA Secure Server CA
  //* Thawte Server CA
  //* Thawte Premium Server CA
  //* Thawte Personal Basic CA
  //* Thawte Personal Freemail CA
  //* Thawte Personal Premium CA
  //* Verisign International Svr CA
  //* 
  //* Sites can CONNECT all of the common Commercial CAs or 
  //* determine which Commercial CAs are required and just CONNECT those. 
  //* In order to CONNECT any of these common Commercial CAs a site would 
  //* need to INSERT them into the ACF2 INFOSTG database after downloading 
  //* the certifictes to z/OS. These common Commercial certificates can be 
  //* downloaded from the Commercial CA website or they can be exported 
  //* from Internet Explorer or Mozilla/Firefox(these browzers include most 
  //* of the common Commercial CA certificates) and then uploaded to the 
  //* mainframe from the PC. After INSERTing any of these certificates into 
  //* the ACF2 INFOSTG database the sample CONNECT commands in the command 
  //* stream that follows can be un-commented to CONNECT the appropriate 
  //* CERTAUTH certificate to the appropriate Keyring.
  //*
  //*============================================================= 
  //ACFCONN8 EXEC PGM=IEFBR14,REGION=0K
  //SYSPRINT DD SYSOUT=* 
  //SYSTSPRT DD SYSOUT=* 
  //SYSUDUMP DD SYSOUT=* 
  //SYSTSIN  DD * 
  ACF
  * Connect commercial CAs to controller keyring 
  * Sample CONNECTs for commercial CA certificates to the controller keyring:
  *
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 3 Primary CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 1 Primary CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(RSA Secure Server CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Server CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Premium Server CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Basic CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Freemail CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Premium CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign International Svr CA) - 
  *  KEYRING(BNACRU.ring) USAGE(CERTAUTH) 
  * 
  * Connect commercial CAs to servant keyring 
  * Sample CONNECTs for commercial CA certificates to the servant keyring: 
  * 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 3 Primary CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 1 Primary CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(RSA Secure Server CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Server CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Premium Server CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Basic CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Freemail CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Premium CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign International Svr CA) - 
  *  KEYRING(WSSRU1.ring) USAGE(CERTAUTH) 
  * 
  * Connect Commercial CAs to WebSphere administrator keyring 
  * Sample CONNECTs for commercial CA certificates to the WebSphere 
  * administrator keyring: 
  * 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 3 Primary CA) - 
  *  KEYRING(WOEMADM.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 1 Primary CA) - 
  *  KEYRING(WOEMADM.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(RSA Secure Server CA) - 
  *  KEYRING(WOEMADM.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Server CA) - 
  *  KEYRING(WOEMADM.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Premium Server CA) - 
  *  KEYRING(WOEMADM.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Basic CA) - 
  *  KEYRING(WOEMADM.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Freemail CA) - 
  *  KEYRING(WOEMADM.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Premium CA) - 
  *  KEYRING(WOEMADM.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign International Svr CA) - 
  *  KEYRING(WOEMADM.ring ) USAGE(CERTAUTH) 
  * 
  * Connect Commercial CAs to WebSphere asynch administrator keyring 
  * Sample CONNECTs for commercial CA certificates to the WebSphere asynch 
  * administrator keyring: 
  * 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 3 Primary CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 1 Primary CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(RSA Secure Server CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Server CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Premium Server CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Basic CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Freemail CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Premium CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * CONNECT CERTDATA(CERTAUTH) LABEL(Verisign International Svr CA) - 
  *  KEYRING(WSADMSH.ring) USAGE(CERTAUTH) 
  * 
  END
  //*