WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: z/OS

             Personalize the table of contents and search results
This topic applies only on the z/OS operating system.

RACF keyring setup

Using Java to create a RACFInputStream for a RACF keystore

During the SSL authentication process, WebSphere Application Server considers a certificate that connects as a PERSONAL certificate as a KeyEntry. You can use the certificate as an end-user certificate in a Secure Sockets Layer (SSL) handshake because the private key is available.

WebSphere Application Server considers a certificate that connects as a CERTAUTH certificate as a TrustedCertEntry and treats the certificate as a Certificate Authority (CA). Keyrings require certificates that connect as PERSONAL and CA certificates that connect as CERTAUTH. Certificates that connect as SITE are not supported in this release.

A RACF keyring that a Java Secure Socket Extension (JSSE) client and server can use for both trust and key information is shown in the following sample code:
Certificate Label Name Cert Owner USAGE    DEFAULT
---------------------- ---------- -------- -------
PersonalEndUserCert    ID(USERID) PERSONAL YES
PersonalEndUserCACert  CERTAUTH   CERTAUTH NO
You must add the certification path provider to your Java environment to construct certificate chains from certificates that WebSphere Application Server reads from the Resource Access Control Facility (RACF). Add the following line to your java.security file provider list:
security.provider.X=com.ibm.security.cert.IBMCertPath

If one of the RACF certificates fails to load, the keystore is not loaded. You must remove any unwanted certificates from the keyring.

The RACFInputStream contains three parameters: The following code example shows the RACFInputStream script passing in a user ID, a ring ID, and a null password directly:
import com.ibm.crypto.provider.RACFInputStream;
import com.ibm.crypto.provider.RACFKeyStore;
String ksfname;
String storePass = null;
RACFInputStream ksStream = new RACFInputStream(
		 System.getProperty("user.name"),ksfname,storePass);
RACFKeyStore keyStore.load(ksStream, storePass); ksStream.close();
In the above example, the system property user.name is referenced to provide the userID that WebSphere Application Server passes to RACF. This example is not typical.

Accessing a RACFInputStream using URLStreamHandler

In this release, you can access data through user-defined classes with the URLStreamHandler object. WebSphere Application Server can define the classes that access the data with the system property java.protocol.handler.pkgs. To access data that resides in a Service Authorization Facility (SAF) RACF keyring, use the safkeyring URL with the associated classes.
To use the URLStreamHandler class to create a RACFInputStream, define the following Java property :
-Djava.protocol.handler.pkgs
If you are using the IBM Java Cryptography Extension (IBMJCE) provider to provide cryptographic support, set the property to the following value:
-Djava.protocol.handler.pkgs=com.ibm.crypto.provider
If you are using the IBMJCE4758 provider to provide cryptographic support, set the property to the following value:
-Djava.protocol.handler.pkgs=com.ibm.crypto.hdwrCCA.provider
You can use a URL to specify a stream handler in the java.policy file. The jarsigner utility also accepts a URL for the -keystore parameter. When certificates from a RACF keyring verify signed jar files, you can specify that WebSphere Application Server must use the keyring as an input stream to the keystore in the java.policy file, as shown in the following example code:
keystore "safkeyring://myracfid/my_key_ring", " JCERACFKS";
In this example,
  • safkeyring is the URL keyword that the server uses to access the URLStreamHandler code to read data from the keyring
  • myracfid is the RACF userid that has authority to read data from the keyring
  • my_key_ring is the name of the keyring from which the data is read
  • JCERACFKS is the keystore type defined for a SAF (RACF) keyring keystore
The Java Virtual Machine (JVM) must be started with the java.protocol.handler.pkgs property set to one of the values described previously, so that WebSphere Application Server can call the appropriate URLStreamHandler. The following example shows the jarsigner utility using a safkeyring URL:
jarsigner -keystore safkeyring://myracfid/my_key_ring -signedjar
ibmjceproviders.jar ibmjceprovider.jar ibmprovider -storetype JCERACFKS 
For more information on inserting or updating information in the RACF External Security Manager, refer to the RACDCERT command in the following publications:
  • z/OS SecureWay Security Server RACF Security Administrator's Guide - SA22-7683
  • z/OS SecureWay Security Server RACF Command Language Reference - SA22-7687



Related tasks
Securing specific application servers
Reference topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/rsec_racfkeyringsetup.html