Steps To Create A Federal Reserve Digital Certificate Using CA Top Secret.

Document ID : KB000054786
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The follow is a generic set of instructions for:

  • Creating a digital certificate to connect to the Federal Reserve Bank using Connect:Direct Secure+
  • Creating Keyrings for the Connect:Direct Secure+ started task acid.
  • Adding the Federal Reserve certificates to the Keyring.

Solution:

These instructions assume the reader has a working knowledge of:

  • The use of CA Top Secret administration commands.
  • Authority to issue Certificate commands in CA Top Secret (MISC4).
  • z/OS dataset allocation
  • PC to mainframe File transfer process or cut/paste
  • Understanding of the Connect:Direct Secure+ Node definition process
  • Access to the Internet
  • Adding OMVS segment information to the Connect:Direct Secure+ started task acid. This should have been completed during the Connect:Direct Secure+ installation.
  • Your sites established naming conventions for digital certificates names, digital certificate label names and keyrings names and keyring label names.
  1. Create a Certificate Signing Request (CSR) for signing by the Federal Reserve

    TSS GENCERT(acid) DIGICERT(digicert)
    SUBJECTN('CN="nnnnnnnn" -
    OU="my NDM Node to the FED" -
    O="mycompanydomain.com" -
    C="US"') -
    NADATE(mm/dd/yy)

    • acid - Acid of the started task that will be using the digital certificate. Use acid CERTSITE if the certificate will be shared with multiple Connect:Direct Secure+ started task acids.
    • nnnnnnnn - Your Federal Reserve Reference Number
    • digicert - The 8 character digital certificate name, which is case sensitive. A naming convention should be established for the digicert name for ease of reference.
    • NADATE - Expiration date for the digital certificate.
    • CN - In this field specify the 8 digit Reference Number (expires 18 days from date of issue) that was assigned to your company by the Federal Reserve.

      DO NOT use the "real" Common Name that you will have been provided in other documentation!

      Caution: Your site may have been provided with multiple Reference Numbers. Ensure the number used in this command matches the system for which you are generating the certificate.

    • OU - Specify information that is meaningful to your company.
    • O - Specify your company's domain name.
    • C - Must specify "US". The Federal Reserve requires this to be included.

    • Example:

      TSS GENCERT(CERTSITE) DIGICERT(FEDCERTU)-
      SUBJECTN('CN="12345678") -
      OU="my NDM Node to the FED" -
      O="mycompanydomain.com" -
      C="US"') -
      NADATE(05/01/28)

  2. TSS LIST the certificate to confirm the certificate has been created

    TSS LIST(acid) DIGICERT(digicert)

    • acid - Acid of the started task that will be using the digital certificate.
    • digicert - The 8 character digital certificate name, which is case sensitive
    • Example:

      TSS LIST(CERTSITE) DIGICERT(FEDCERTU)

  3. TSS GENREQ the certificate to be written to a dataset.

    TSS GENREQ(acid) DIGICERT(digicert) DCDSN('datasetname')

    • acid - Acid of the started task that will be using the digital certificate.
    • datasetname - Dataset name where the certificate will be written. It must not previously exist. It will be automatically created.
    • digicert - the Digital Certificate Name.
    • Example:

      TSS GENREQ(CERTSITE) DIGICERT(FEDCERTU) -
      DCDSN('FEDCERT.UNSIGNED.CERT')

  4. Browse the Digital Certificate datasets on TSO and cut/paste it into a Notepad file on your PC.
     Menu Utilities Compilers Help---------------------------------------------------------------------BROWSE   FEDCERT.UNSIGNED.CERT               Line00000000Col001 080Command ===>                                         Scroll ===>CSR ********************************* Top of Data ***********************-----BEGIN CERTIFICATE-----<your digital certificate data will reside in here> <your digital certificate data will reside in here><your digital certificate data will reside in here><your digital certificate data will reside in here><your digital certificate data will reside in here><your digital certificate data will reside in here>-----END CERTIFICATE-----******************************** Bottom of Data ********************
  5. Have the Digital Certificate Request signed by the Federal Reserve Banks.

    Go to Federal Reserve Bank Certificate Retrieval Homepage at:

    https://199.169.223.4/

    Figure 1

    From the Certificate Retrieval Home page, depicted above, select "Web Site Administrator."

    Figure 2

    Complete each option on the Web Site Administrator page (depicted above) and save your information.

    Figure 3

    The Server Certificate Retrieval page, depicted above, requires the following information:

    • The Reference Number - This number is the same number you placed in the CN of your TSS GENCERT command
    • The Authorization Code - Will be received from your company Federal Reserve Representative.
    • The Digital Certificate - The Notepad file with the Digital Certificate from Step 4

      Note: Federal Reserve webpage screen shots were provided by the Federal Reserve and subject to change at anytime.

  6. Open up 3 Notepad files:

    1. One for the CSR that will be signed and
    2. Two for each of the root certificates

  7. Cut and paste each of 3 the Digital Certificates into the Notepad files from the Server Certificate Retrieval page.

  8. FTP or Copy/Paste the 3 Digital Certificates to the Mainframe.

    1. Please see the following example for FTPing the 3 certificates to the Mainframe:

      To FTP from the Windows command prompt:

      C:cd\documents and settings

      ftp zfnbjes

      enter userid
      enter password

      FTP
      bin
      quote site lrecl=84 recfm=vb

      put fedcertsigned FEDCERT.SIGNED.CERT

      exit


      • 'documents and setting' is the directory, where the Digital certificates reside.
      • 'zfnbjes' is your Mainframe FTP site address.
      • 'userid' and 'password' is the userid and password authorized to use FTP and write authority to the dataset.
      • 'fedcertsigned' is the Digital Certificate file name on the PC.
      • 'FEDCERT.SIGNED.CERT' is the dataset on the Mainframe, where the certificate will be written.
      • Do the same for the other 2 Digital Certificate Notepad files.

    2. Please see the following example for Copying and Pasting the 3 certificate to the Mainframe:

      • Pre-allocate the datasets using ISPF option 3.2.
                           Data Set InformationCommand ===>                                                                  Data Set Name . . . . : FEDCERT.SIGNED.CERT   General Data                        Current AllocationManagement class . . :MCRLSE         Allocated cylinders :1Storage class  . . . :SCPSYSTM       Allocated extents . :1Volume serial . . .  :???????       Device type . . . .  :3390          Data class . . . . . :DCPSYSTM     Current UtilizationOrganization  . . .  :PS             Used cylinders  . . :1Record format . . .  :VB             Used extents  . . . :1Record length . . .  :84            Block size  . . . .  :6233          1st extent cylinders :1             Secondary cylinders  :10            Data set name type   :             SMS Compressible  :  NO                                     Creation date . . . :2007/11/26   Referenced date . . :2007/12/10  Expiration date . . :***None***
      • Open the dataset using ISPF option 3.4.
      • Copy and paste the Digital Certificate Notepad file into the dataset and save the file.
      • Do the same for the other 2 Digital Certificate Notepad files.

  9. Add the Digital Certificates to the CA Top Secret Security file.

    1. Add the first Federal Root Digital Certificate

      TSS ADD(CERTAUTH) DIGICERT(xxxxxxx) -
      DCDSN('datasetname') TRUST -
      LABLCERT(certificatelabel)

      • CERTAUTH - Owner of the root certificate.
      • xxxxxxx - The 8 character digital certificate name, which is case sensitive. A naming convention should be established for the digicert name for ease of reference.
      • datasetname - Dataset where the first root certificate resides.
      • certificatelabel - Specifies the certificate label name. Up to 32 characters. The name should be something meaningful that describes the certificate.
      • Example:

        TSS ADD(CERTAUTH) DIGICERT(FEDROOT1) -
        DCDSN('FEDROOT1.CERT') -
        LABLCERT('Federal Reserve Root 1 Cert') -
        TRUST

    2. Add the second Federal Root Digital Certificate

      TSS ADD(CERTAUTH) DIGICERT(xxxxxxxxx) -
      DCDSN('datasetname') -
      LABLCERT(certificatelabel) TRUST

      • CERTAUTH - Owner of the root certificate.
      • xxxxxxx - The 8 character digital certificate name, which is case sensitive
      • datasetname - Dataset where the second root certificate resides.
      • certificatelabel - Specifies the certificate label name. Up to 32 characters. The name should be something meaningful that describes the certificate.
      • Example:

        TSS ADD(CERTAUTH) DIGICERT(FEDROOT2) -
        DCDSN('FEDROOT2.CERT') TRUST -
        LABLCERT('Federal Reserve Root 2 Cert')

    3. Add the Digital Certificate signed by the Federal Reserve.

      TSS ADD(acid) DIGICERT(xxxxxxxx) -
      DCDSN('datasetname') TRUST -
      LABLCERT(certificatelabelname)

      • acid - Acid of the started task that will be using the digital certificate. Use acid CERTSITE if the certificate will be shared with multiple Connect:Direct Secure+ started task acids.
      • xxxxxxx - The 8 character digital certificate name, which is case sensitive. It MUST be different from the DIGICERT specified in STEP 1.
      • datasetname - Dataset where the signed certificates resides.
      • certificatelabel - Specifies the certificate label name. Up to 32 characters. The name should be something meaningful that describes the certificate. This certificate label name MUST match certificate label name specified in the Connect:Direct Secure+ "Remote" definition to the Federal Reserve.
      • Example:

        TSS ADD(CERTSITE) DIGICERT(FEDCERTS) -
        DCDSN('FEDCERT.SIGNED.CERT') TRUST -
        LABLCERT('Federal Reserve Signed Cert')

  10. Create Keyring and connect Federal Reserve Root Certificates and signed certificate

    1. Create the Keyring:

      TSS ADD(acid) KEYRING(keyringname) LABLRING(keyringlabel)

      • acid - Acid where you will be adding the Keyring.
      • keyringname - upto 8 characters Keyring name, which is case sensitive. A naming convention should be established for the keyring label name for ease of reference.
      • keyringlabel - up to 237 characters Keyring Label Name, which is case sensitive. The name should be something meaningful that describes the keyring. This keyring label name MUST match kerying label name in Connect:Direct Secure+ definitions to connect to the Federal Reserve.
      • Example:

        TSS ADD(CONNECT) KEYRING(FEDRING) -
        LABLRING('Federal Reserve Keyring')

    2. Add the first Federal Root Digital Certificate to the Keyring:

      TSS ADD(acid) KEYRING(keryingname)-
      RINGDATA(owningacid,digicert) -
      USAGE(PERSONAL) DEFAULT

      • acid - Acid where you will be adding the Digital Certificate to it's Keyring.
      • keyringname - upto 8 character Keyring name, which is case sensitive. A naming convention should be established for the keyring label name for ease of reference.
      • CERTAUTH - the owner of the root certificate.
      • digicert - up to 8 character digital certificate name, which is case sensitive
      • Example:

        TSS ADD(CONNECT) KEYRING(FEDRING) -
        RINGDATA(CERTAUTH,FEDROOT1) -
        USAGE(CERTAUTH)

    3. Add the second Federal Root Digital Certificate to the Keyring:

      TSS ADD(acid) KEYRING(keyring) -
      RINGDATA(CERTAUTH,digicert) -
      USAGE(CERTAUTH)

      • acid - Acid where you will be add the Digital Certificate to it's Keyring.
      • keyringname - up to 8 character Keyring name, which is case sensitive. A naming convention should be established for the keyring label name for ease of reference.
      • CERTAUTH - the owner of the root certificate.
      • digicert - up to 8 character digital certificate name, which is case sensitive
      • Example:

        TSS ADD(CONNECT) KEYRING(FEDRING) -
        RINGDATA(CERTAUTH,FEDROOT2) -
        USAGE(CERTAUTH)

    4. Add the Signed Digital Certificate to the Keyring:

      TSS ADD(acid) KEYRING(keyringname) -
      RINGDATA(owningacid,digicert) -
      USAGE(PERSONAL)

      • acid - Acid where you will be add the Digital Certificate to it's Keyring.
      • keyringname - up to 8 character Keyring name, which is case sensitive. A naming convention should be established for the keyring label name for ease of reference.
      • owningacid - the owner of the certificate.
      • digicert - up to 8 character digital certificate name, which is case sensitive
      • Example:

        TSS ADD(CONNECT) KEYRING(FEDRING)-
        RINGDATA(CERTSITE,FEDCERTS) -
        USAGE(PERSONAL)

  11. Authorize users to use Digital Certificates.

    • TSS ADD(owningacid) IBMFAC(IRR.DIGT)
      (skip this step if the resource is already owned)
    • TSS PERMIT(acid) IBMFAC(IRR.DIGT) ACC(CONTROL)

      Notes: Without the above authorization, security calls for Digital Certificates will fail for the Connect:Direct Secure+ started task acid.

Please refer to the CA Top Secret Cookbook for further details about the TSS Digital Certificates commands.