What FTP tranfer mode should be used to import and export Certificates to/from CA ACF2?

Document ID : KB000032105
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The ACF2 INSERT(import) and EXPORT subcommands can be used to import or export an X.509 digital certificates from a z/OS dataset.
The z/OS interim dataset should be FTP'd  in either BINary or ASCII mode depending on the format of the certificate.

Resolution:

The ACF2 INSERT(import) and EXPORT subcommands can be used to import or export an X.509 digital certificates from a z/OS dataset. 

These z/OS datasets are used as an interim file that is FTP'd to and from another system,  or a personal computer's web browser or application's keystore.

FTP file transfers can be done in ASCII or Binary mode(format).

When files are transferred in ASCII mode, the transferred data is considered to contain only ASCII formatted text. With ASCII mode special control characters maybe used to format data.

When files are transferred in Binary mode, files are transferred as a binary stream of data. With Binary mode the raw bytes of the file are transferred.

When exporting an X.509 digital certificate from the CA ACF2 database to a z/OS dataset with any of the X.509 Distinguished Encoding Rules (DER) formats such as Format CERTDER, PKCS12DER or PKCS7DER the z/OS dataset being transferred using FTP, should use BINARY or IMAGE mode.

Note: When doing an EXPORT with CA ACF2, if FORMAT is not specified the default format is CERTB64 or PKCS12B64(If PASSWORD specified).

When doing an INSERT of an X.509 digital certificate to the CA ACF2 database from a z/OS dataset that was encoded using base-64 encoding which corresponds to the ACF2 Formats CERTB64, PKCS12B64, or PKCS7B64 the z/OS dataset should have been transferred using FTP, using ASCII or TEXT mode.

Details can be found in Chapter 26: Digital Certificate Support, section 'Processing Digital Certifications with CA ACF2' in the CA ACF2™ for z/OS Administration Guide.