[z/OS]

Importing RACF certificates to WebSphere Application Server

It is often necessary to export certificates created in RACF and import them into a distributed WebSphere Application Server. Reasons for doing this are that you are preparing the distributed WebSphere Application Server for federation into an ND cell on z/OS or that you are using RACF as the certificate authority (CA) to issue certificates used by the distributed WebSphere Application Server cell.

Before you begin

You must have an existing CA certificate and server certificate from RACF or other security product that you want to export.

About this task

Complete the following steps to perform the export of RACF certificates to the WebSphere Application Server and using the adminstrative console import those certificates and install them:

Procedure

  1. Export the CA certificate without a password, in PKCS#7 binary format (DER).
  2. Export the server certificate with a password, in PKCS#12 binary format (P12).
  3. Perform the export by running a job as illustrated below:
    Note: You run this job with a user who has authority to update RACF.
    //KEARNEYB JOB CLASS=A,MSGCLASS=O
    //STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=20
    //SYSTSPRT DD SYSOUT=O
    //SYSTSIN DD *
    RACDCERT CERTAUTH EXPORT(LABEL('WebSphereCA.YY')) -
    DSN('KEARNEY.YYCA.DER') FORMAT(CERTDER)
    RACDCERT ID(YYACRU) EXPORT(LABEL('DefaultWASCert.YYSR')) -
    DSN('KEARNEY.YYCERT.P12') FORMAT(PKCS12DER) PASSWORD('secret')
    /*
  4. Use the file transfer program (FTP) in binary mode to transfer the files from z/OS to the distributed WebSphere Application Server.
  5. Login to the distributed WebSphere Application Server administrative console.
  6. Click Security > SSL certificate and key management > SSL configurations.
  7. Click on NodeDefaultSSLSettings. Under "Related items", click Key stores and certificates. NodeDefaultKeyStore and NodeDefaultTrustStore are files that contain the certificates used by this application server. You can administer these files through the administrative console.
  8. Click on NodeDefaultTrustStore. The NodeDefaultTrustStore contains the trusted signer certificates used by the application server. These include the CA certificate that signed the server certificate, or the CA certificates of other servers that this application server can communicate with.
  9. Under Additional properties, click Signer certificates The default certificate is installed in the NodeDefaultTrustStore because it is self signed. The dummyclientsigner and dummyserversigner certificates are there also.
  10. Prepare to add the exported CA certificate. Click the Add button.
  11. Specify an alias (a label) for the certificate that you are importing. The file name points to the location of the CA certificate that you transferred (FTP) to the application server. The data type must be binary DER data because you exported the certificate in binary.
  12. Click the Apply button You have just imported the CA certificate.
  13. Click Save and synchronize this change to the server and any nodes. The imported CA certificate now appears in the list of the NodeDefaultTrustStore. After restarting the application server, the server now trusts certificates issued by that imported CA.
  14. Click on NodeDefaultKeyStore

    NodeDefaultKeyStore contains the personal certificate that the application server presents to clients in the SSL handshake.

    Note: You are installing the personal certificate that you exported from RACF. Although it's a personal certificate, it's often referred to as a server certificate, because it represents the identity of the server.
  15. Under Additional Properties, click Personal certificates This is the personal certificate currently used by the application server and was generated as part of the cell configuration process.
  16. Click default to see more detail. The 'default' certificate is self signed. That is, it is signed using its own private key. This certificate does not have an associated certificate authority (CA) certificate.
  17. Click the browser back button to return to the previous page.
  18. Click Import You are now ready to replace the default certificate with the personal certificate you exported from RACF and transferred (FTP) to the application server.
  19. Click the Get key file aliases button. The Key file name field identifies the location of the exported .p12 file. The Type field is for PKCS12. The Key file password filed is the password you used to export the certificate from RACF to the application server.
    CWPKI0663E appears: If you get this error message, see Troubleshooting an error when importing RACF certificates to WebSphere Application Server for information to troubleshoot the problem. Then return to this step and proceed.
  20. Select a certificate alias from the Certificate alias to import drop down list and specify in the Imported certificate alias field a name for the imported certificate. The Certificate alias to import drop down list will have the alias (label) of the certificate in the .p12 file. The Imported certificate alias field is used for whatever you would like to call the certificate.
  21. Click save and synchronize this change to the application server and any nodes in the configuration. The server certificate now appears in the list of personal certificates.
    Note: Servers only read their key stores when they start up, so the cell must be restarted for the new certificates to be used by WebSphere Application Server.

Results

You have exported certificates created in RACF and imported them into a distributed WebSphere Application Server.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=tsec_sslimportRACFcert
File name: tsec_sslimportRACFcert.html