Creating a RACF signed personal certificate
RACF(R) can function as a Certification Authority and issue its own CA certificate.
This section uses the term signer certificate to denote
a CA certificate issued by RACF.
The private key for the signer certificate must be in the RACF database before
you carry out the following procedure:
- Use the following command to generate a personal certificate signed by RACF, using the signer certificate contained in your RACF database:
RACDCERT ID(userid2) GENCERT
SUBJECTSDN(CN('common-name')
T('title')
OU('organizational-unit')
O('organization')
L('locality')
SP('state-or-province')
C('country'))
WITHLABEL('label-name')
SIGNWITH(CERTAUTH LABEL('signer-label'))
- Connect the certificate to your key ring using the following command:
RACDCERT ID(userid1)
CONNECT(ID(userid2) LABEL('label-name') RING(ring-name) USAGE(PERSONAL))
where:
- userid1 is the user ID of the channel initiator
address space or owner of the shared key ring.
- userid2 is the user ID associated with the certificate.
- ring-name is the name you gave the key ring in Setting up a key repository.
- label-name must be in the correct WebSphere MQ format
for a queue manager: ibmWebSphereMQ followed by the name of your
queue manager, for example, ibmWebSphereMQCSQ1.
- signer-label is the label of your own signer certificate.
Note that userid1 and userid2 can be the same ID.