Note: A separate RACF keyring must be created for each LPAR.
-
Create a key ring for the LPAR by applying this command:
RACDCERT ADDRING(<name of the new key ring>) ID(<userID>)
Where:<name of the new key ring>
The name of the key ring that you require. For easy identification it is best to use a descriptive name that includes the LPAR name. <userID>
The user ID of the key ring owner. This must be the userid that is assigned to the Ironstream agent. -
Connect the certificate authority to the key ring by applying this command:
RACDCERT CONNECT (CERTAUTH LABEL('<label name>')
RING(<key ring name>) USAGE(CERTAUTH)) ID(<userID>)
Where:
<label name>
The label of the certificate that is being connected to the key ring. This will either be the label applied to the self-signed certificate authority or the label of an existing certificate authority. <key ring name>
The name of the key ring to which the certificate authority is being connected. <userID>
The user ID of the key ring owner. This must be the userid that is assigned to the Ironstream agent. -
Generate the mainframe server certificate and key by applying this command:
RACDCERT GENCERT ID(<userID>) SUBJECTSDN(CN('<LPAR FQDN>') OU('<org unit>') O('<org>') C('<country code>')) SIZE(2048) WITHLABEL('<server certificate label>') KEYUSAGE(HANDSHAKE SIGNWITH(CERTAUTH LABEL('<certificate authority label>')) ALTNAME(IP(<mainframe IP address>) DOMAIN('<LPAR FQDN>'))
Where:
<userID>
The userID of the certificate owner. This must be the userID that is assigned to the Ironstream agent. <LPAR FQDN>
The CN parameter and the DOMAIN parameter, with the fully qualified domain name of the LPAR. <org unit>
Your organization’s unit. <org>
Your organization’s name. <country code>
The two-character country code of your organization. <server certificate label>
The label for this certificate. For easy identification, it is best to use a descriptive name that includes the LPAR name. <certificate authority label>
The label assigned to the certificate authority with a private key that will be used to sign the certificate. This is the certificate authority connected in step 2. (<mainframe IP address>
The fully qualified numeric IP address of the mainframe. -
Generate the client certificate and key by applying this command:
RACDCERT GENCERT ID(<userID>) SUBJECTSDN(CN('<proxy FQDN>') OU('<org unit>') O('<org>') C('<country code>')) SIZE(2048) WITHLABEL('<client certificate label>') KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH LABEL('<certificate authority label>')) ALTNAME(IP(<proxy IP address>) DOMAIN('<proxy FQDN>'))
Where:
<userID>
The userID of the certificate owner. This must be the userID that is assigned to the Ironstream agent. <proxy FQDN>
The CN parameter and the DOMAIN parameter, with the fully qualified domain name of the server on which the Ironstream client (proxy server) is installed. <org unit>
Your organization’s unit. <org>
Your organization’s name. <country code>
The two-character country code of your organization. <client certificate label>
The label for this certificate. For easy identification it is best to use a descriptive name that includes the LPAR name. <certificate authority label>
The label assigned to the certificate authority with a private key that will be used to sign the certificate. This is the certificate authority connected in step 2. <proxy IP address>
The fully qualified numeric IP address of the server on which the Ironstream client (proxy server) is installed. -
Export the client certificate and key by applying this command:
RACDCERT EXPORT (LABEL('<client certificate label>'))ID(<userID>) DSN(<output data set name>) FORMAT(PKCS12DER) PASSWORD('<pkcs12 password>')
Where:
<client certificate label>
The label of the certificate that is being exported. This should be the same label that was used in step 4 to generate the client certificate. <userID>
The userID of the certificate owner. This must be the userID that is assigned to the Ironstream agent. <output data set name>
The name of the data set that is to contain the certificate. <pkcs12 password>
The password to use for PKCS #12 package encryption. - Transfer the exported PKCS12 file to the MID or Probe server using binary transfer and enter the name into the mainframe configuration in the web configuration interface.
-
Connect the mainframe LPAR server certificate to the keyring for this LPAR by applying this command:
RACDCERT CONNECT(ID(<userID>) LABEL('<server certificate label>') RING(<name of the new key ring>) DEFAULT) ID(<userID>)
Where:
<userID>
The userID of the certificate owner. This must be the userID that is assigned to the Ironstream agent. <server certificate label>
The label of the certificate created by step 3. <name of the new key ring>
The name of the key ring created by step 1. -
If your DIGTCERT or DIGTRING classes are RACLISTED, then run the RACF command to activate the changes:
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
-
The RACF keyring name must be specified on the agent’s TCP parameter line. In the KEYF parameter, specify the ID that owns the key ring (<userID>) followed by a “/” and the name of the key ring for the LPAR.
For example:
TCP 6106 6107 TLS=Y KEYF=start2/TREX_RING STAF=-
Note: The STAF parameter must contain a “-” to indicate there is no stash file. If the userID owning the keyring is different than the agent started task ID, the agent started task ID must have access to the keyring.