The key rings that CICS® Transaction Gateway uses when establishing secure SSL connections are stored in RACF®. This provides an alternative to Java™ keystore (.jks) files stored in the ZFS (a USS filesystem).
The key ring must contain a personal certificate and the certificate authority certificate used to sign it. The key ring must be accessible by the user ID under which the Gateway daemon is running.
To create and maintain RACF key rings, you can either use the RACDCERT native command or the DIGITAL CERTIFICATES AND KEY RINGS panels found under the main RACF service options panel in ISPF.
For information on creating certificates and key rings in RACF, see the z/OS® Security Server RACF Security Administrator's Guide.
The key ring that CICS Transaction Gateway uses must contain the personal certificate with its private key connected as a personal certificate. It must also contain the Certificate Authority certificate used to sign the personal certificate, attached as a CERTAUTH certificate. The use of certificates connected as SITE is not supported.
You export the personal certificate to the client keystore using FTP:
For more information see SSL protocol parameters.