You must grant access to the appropriate profiles in the
FACILITY class in RACF to build a key ring in the RACF database, create
a signing certificate, and administer certificates in the key ring.
You must grant this access only to users who administer CICS
regions and not to general CICS users. The following profiles are
available:
Access level |
Profile |
Description |
CONTROL |
IRR.DIGTCERT.GENCERT |
Allow certificates to be signed by a CERTAUTH
certificate. |
IRR.DIGTCERT.ADD |
Allow a CERTAUTH certificate to be generated
on first execution. |
IRR.DIGTCERT.CONNECT |
Connect CERTAUTH certificates for other users. |
UPDATE |
IRR.DIGTCERT.CONNECT |
Connect CERTAUTH certificates to your key ring. |
IRR.DIGTCERT.* |
Manage certificates for other users. |
READ |
IRR.DIGTCERT.* |
Manage certificates for your own user ID. |
IRR.DIGTCERT.* contains the wildcard asterisk and is intended
as a generic profile.
CICS provides a sample REXX program, DFH$RING,
which you can edit to create a key ring, signing certificate, and
other certificates as appropriate. The default values are suitable
only for a test key ring and not for production. To run DFH$RING,
you must have the required authorization access in RACF.
- To allow generic profiles to be created in the FACILITY
class, issue the following command:
SETROPTS GENERIC(FACILITY)
- Issue the following commands:
RDEFINE FACILITY(IRR.DIGTCERT.*)
RDEFINE FACILITY(IRR.DIGTCERT.ADD)
RDEFINE FACILITY(IRR.DIGTCERT.CONNECT)
RDEFINE FACILITY(IRR.DIGTCERT.GENCERT)
- Depending upon whether the FACILITY class is RACLISTed
or not, issue one of the following commands:
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS GENERIC(FACILITY) REFRESH
- Give a user ID or group, ringuser, authority
to use the RACF commands to create and manage certificates. Issue
the following commands:
PERMIT IRR.DIGTCERT.* CLASS(FACILITY) ID(ringuser) ACCESS(READ)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(ringuser) ACCESS(UPDATE) (for self)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(ringuser) ACCESS(CONTROL) (for another user)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(ringuser) ACCESS(CONTROL)
- Give a user ID, certauser, authority
to create a signing certificate (certificate authority certificate).
RACF uses this certificate to sign all the other certificates. Issue
the following command:
PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(certauser) ACCESS(CONTROL)
If
you plan to use the DFH$RING program, your user ID must have CONTROL
access to create the signing certificate the first time you run the
program. After you have created the signing certificate, you require
only UPDATE access.
You can add certificate information for your own user ID if
you have READ access to the IRR.DIGTCERT.ADD profile in the FACILITY
class. You can add certificate information for other user IDs if you
have UPDATE access to the IRR.DIGTCERT.ADD profile in the FACILITY
class. If you have SPECIAL authority, you can run RACDCERT ADD for
any user ID. You can also generate a digital certificate for any RACF-defined
user or for any certificate authority or site certificate with SPECIAL
authority.
If you want to use a certificate from a certificate authority
to authenticate with a client, create a certificate request using
RACF and send it to the certificate authority. If you
want to use RACF certificates only, you can build a key ring.