These steps assume creating a separate key database for the Ironstream certificates and keys. If you want to use an existing key database, consult the IBM documentation for creating mainframe and client certificates and keys using an existing database. If you are receiving certificates from a third-party certificate supplier, they must be imported into an existing key database which will be specified in Step 10.
This procedure requires that IBM "Cryptographic Services System SSL" and "Cryptographic Services Security Level 3" packages are installed on the mainframe LPAR.
Step 1 - Creating the key database
From a Unix System Services shell, execute program gskkyman
. Select option 1 to create a new database and follow the prompts, selecting whatever options are appropriate for your needs.
In this example, we create a key database named "example" and choose a password and accept the default for password expiration and database record length. Enter "0" for the FIPS mode database option because FIPS mode is not supported on the MID server application. This will create an “example” database file in the directory where the gskkyman program was run. The location of this database file will be used in Step 10.
Step 2 – Store the database password
After pressing Enter, you will be taken to the Key Management Menu. Select option 10 to store the key database password in a stash file. The location of the stash file will be used in Step 10.
Step 3 – Creating the certificate authority
After pressing Enter, you will be taken back to the Key Management Menu. Select option 6 to create a self-signed certificate, and then select option 1 on the next menu to create a CA certificate. In this example, the CA certificate will be called "example_ca".
Select the options that are appropriate for your needs in the next menus. For this example, we create a 2048 bit RSA key and use a SHA-256 signature.
Return to the Key Management Menu with option 1.
Select the newly created certificate:
Step 4 - Creating the mainframe key and certificate
Select option 10 to create a signed certificate and key. Then from the next menu, select option 2 to create a user or server certificate.
For the mainframe certificate, the Common name must match the fully qualified domain name of the mainframe node (for example, example.eview-tech.com).
Press Enter to return to the Key and Certificate Menu for the certificate authority.
Step 5 - Creating the client key and certificate
Repeat Step 4 to create a client key and certificate. You must give the new certificate a different label than the mainframe certificate from Step 4, and enter the MID server name in the Common name field.
Press Enter to return to the Key and Certificate List.
Step 6 - Set the mainframe key as the default
Select the mainframe certificate from the Key and Certificate List and then choose option 3 to set it as the default key for the key database.