TELNET Signed Certificate Setup with CA TOP SECRET as the Certificate Authority

Document ID : KB000026786
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document describes how to setup CA TOP SECRET generated DIGITAL CERTIFICATES signed by a CA TOP SECRET Certificate Authority (CA) for use with TELNET.

Solution:

NOTE:
The following are example commands and may vary depending on your naming conventions and environment. Please adjust the sample commands accordingly to your site standards and environment. Please see the CA TOP SECRET COOKBOOK for the syntax and usage of the commands.

  1. If you don't already have an Certificate Authority generated by CA TOP SECRET, use the following example command to generate one.

    Example:

    TSS GENCERT(CERTAUTH) DIGICERT(TSSCA) -
    SUBJECTN('O="COMPANYA" CN=" TSS CA" -
    OU="SYSTEMSDEPT" C="US" ') -
    LABLCERT('TSSCA') KEYUSAGE(CERTSIGN)


    • TSSCA is the digital certificate name in CA TOP SECRET.
    • The LABELCERT is 'TSSCA'.
    • Modify the SUBJECTN to your site standards.


  2. Generate a certificate for the TCP started task with the TSS GENCERT command which is signed with the CA TOP SECRET generated Certificate Authority 'TSSCA':

    Example:

    TSS GENCERT(TCP) DIGICERT(TCPCERTS) -
    SUBJECTN('O="COMPANYA" CN=" TCP cert" -
    OU="SYSTEMSDEPT" C="US" ') -
    LABLCERT('TCPCERTS') SIGNWITH(CERTAUTH,TSSCA)


    • In this example TCP is the region acid.
    • TCPCERTS is the digital certificate name in CA TOP SECRET.
    • The LABELCERT is 'TCPCERTS'.
    • Modify the SUBJECTN to your site standards.


  3. Create the TCP KEYRING with the TSS ADD command.

    Example:

    TSS ADD(TCP) KEYRING(TCPRING) -
    LABLRING('TCPRING')


  4. Add the certificate to the KEYRING with the TSS ADD command.

    Example:

    TSS ADD(TCP) KEYRING(TCPRING) -
    RINGDATA(TCP,TCPCERTS) USAGE(PERSONAL) DEFAULT


  5. Export the certificate to a dataset with the TSS EXPORT command.

    Example:

    TSS EXPORT(TCP) DIGICERT(TCPCERTS) -
    DCDSN('TCP.SIGNED.CERT') LABLCERT(TCPCERTS)


  6. Send the certificate dataset to the client.

  7. Specify the TCP KEYRING to be used via TCP/IP profile KEYRING parameter.

    Example:

    "KEYRING SAF TCPRING"

  8. Add the Certificate Authority to TCP KEYRING with the TSS ADD command.

    Example:

    TSS ADD(TCP) KEYRING(TCPRING) -
    RINGDATA(CERTAUTH,TSSCA) USAGE(CERTAUTH)
    - USAGE(CERTAUTH) must be specified.


  9. Permit FTP acid to SSL KEYRING, certificates and mappings via TSS PERMIT command:

    TSS PER(TCP) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
    TSS PER(TCP) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
    TSS PER(TCP) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)

Note: If acid CERTSITE is the owner of the certificate, ACC(CONTROL) needs to be specified instead of ACC(UPDATE).