Authorizing users to administer certificates in the key ring

You must grant access to the appropriate profiles in the FACILITY class in RACF to build a key ring in the RACF database, create a signing certificate, and administer certificates in the key ring.

You must grant this access only to users who administer CICS regions and not to general CICS users. The following profiles are available:
Access level Profile Description
CONTROL IRR.DIGTCERT.GENCERT Allow certificates to be signed by a CERTAUTH certificate.
IRR.DIGTCERT.ADD Allow a CERTAUTH certificate to be generated on first execution.
IRR.DIGTCERT.CONNECT Connect CERTAUTH certificates for other users.
UPDATE IRR.DIGTCERT.CONNECT Connect CERTAUTH certificates to your key ring.
IRR.DIGTCERT.* Manage certificates for other users.
READ IRR.DIGTCERT.* Manage certificates for your own user ID.
IRR.DIGTCERT.* contains the wildcard asterisk and is intended as a generic profile.

CICS provides a sample REXX program, DFH$RING, which you can edit to create a key ring, signing certificate, and other certificates as appropriate. The default values are suitable only for a test key ring and not for production. To run DFH$RING, you must have the required authorization access in RACF.

  1. To allow generic profiles to be created in the FACILITY class, issue the following command:
    SETROPTS GENERIC(FACILITY)
  2. Issue the following commands:
    RDEFINE FACILITY(IRR.DIGTCERT.*)    
    RDEFINE FACILITY(IRR.DIGTCERT.ADD)    
    RDEFINE FACILITY(IRR.DIGTCERT.CONNECT)    
    RDEFINE FACILITY(IRR.DIGTCERT.GENCERT) 
  3. Depending upon whether the FACILITY class is RACLISTed or not, issue one of the following commands:
    SETROPTS RACLIST(FACILITY) REFRESH    
    SETROPTS GENERIC(FACILITY) REFRESH  
  4. Give a user ID or group, ringuser, authority to use the RACF commands to create and manage certificates. Issue the following commands:
    PERMIT IRR.DIGTCERT.*       CLASS(FACILITY) ID(ringuser) ACCESS(READ)    
    PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(ringuser) ACCESS(UPDATE)  (for self)    
    PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(ringuser) ACCESS(CONTROL)  (for another user)    
    PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(ringuser) ACCESS(CONTROL) 
  5. Give a user ID, certauser, authority to create a signing certificate (certificate authority certificate). RACF uses this certificate to sign all the other certificates. Issue the following command:
      PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(certauser) ACCESS(CONTROL) 
    If you plan to use the DFH$RING program, your user ID must have CONTROL access to create the signing certificate the first time you run the program. After you have created the signing certificate, you require only UPDATE access.
You can add certificate information for your own user ID if you have READ access to the IRR.DIGTCERT.ADD profile in the FACILITY class. You can add certificate information for other user IDs if you have UPDATE access to the IRR.DIGTCERT.ADD profile in the FACILITY class. If you have SPECIAL authority, you can run RACDCERT ADD for any user ID. You can also generate a digital certificate for any RACF-defined user or for any certificate authority or site certificate with SPECIAL authority.
If you want to use a certificate from a certificate authority to authenticate with a client, create a certificate request using RACF and send it to the certificate authority. If you want to use RACF certificates only, you can build a key ring.