Versions Compared

Version Old Version 1 New Version 2
Changes made by

Stonebranch

Alec Berger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Anchor
1178292
1178292
The member UNVINDC in the INSTALL library contains the JCL to execute the RACF commands listed in the following steps.

Step 1

Create a Certificate Authority (CA) certificate and private key using the following RACDCERT command:
 


Panel
RACDCERT CERTAUTH GENCERT +
   SUBJECTSDN(CN('Certificate Authority') +
      OU('Security') +
      O('Company Name, Inc.') +
      C('US')) +
   NOTAFTER(DATE(2030-01-01)) +
   *KEYUSAGE(HANDSHAKE CERTSIGN) +
   WITHLABEL('Company CA')


Anchor
1178302
1178302
Change the subject and label names to meet local requirements.
 

Step 2

Create a certificate for the Universal Broker STC and sign it with the CA certificate created in Step 1 using the following RACDCERT command:
 


Panel
RACDCERT ID(UBRUSR) GENCERT +
   SUBJECTSDN(CN('broker.company.com') +
      OU('Operations') +
      O('Company Name, Inc.') +
      C('US')) +
   KEYUSAGE(HANDSHAKE) +
   WITHLABEL('Broker') +
   SIGNWITH(CERTAUTH LABEL('Company CA')

Anchor
1178312
1178312
Change the subject and label names to meet local requirements. The subject's Common Name (CN) value should uniquely identify this instance of the broker in the enterprise.
 

Step 3

Create a certificate key ring for the user profile UBRUSR with the following RACDCERT command:
 


Panel
RACDCERT ID(UBRUSR) ADDRING(BROKER)


Step 4

Connect the CA certificate and the Universal Broker certificate to the key ring with the following RACDCERT command:
 


Panel
RACDCERT ID(UBRUSR) CONNECT(CERTAUTH LABEL('Company CA') +
   RING(BROKER)
RACDCERT ID(UBRUSR) CONNECT(LABEL('Broker') RING(BROKER) DEFAULT)

Anchor
1178319
1178319
Change the labels to match the values used in previous steps.
 

Step 5

If the resource profile IRR.DIGTCERT.LISTRING in the FACILITY class is not defined, define it with the following RDEFINE command:
 


Panel
RDEFINE FACILITY (IRR.DIGTCERT.LISTRING) UACC(NONE)


Step 6

Permit the Broker user profile UBRUSR READ access to the RACF profile IRR.DIGTCERT.LISTRING in the FACILITY class using the following PERMIT command:
 


Panel
PE IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(UBRUSR) ACCESS(READ)


Step 7

Modify the Universal Broker configuration member UBRCFG00 as follows:
 


Panel
ssl_implementation   system
saf_key_ring        BROKER


Step 8


Note
titleNote

When system SSL is enabled, the Universal Broker will always provide its certificate during the SSL/TLS handshake to the remote Universal Agent manager component (e.g., UCMD, UDM) that initiates the connection. Consequently, the Universal Agent manager component always performs server authentication against that certificate. This means that the CA certificate stored in the key ring must be exported from the key ring, saved to a file on the remote system, and that file must be specified in the Universal Agent manager's configuration via the CA_CERTIFICATES option.

Depending on the peer authentication options used, it may also be necessary to generate a client certificate on the remote system that is signed by the CA stored in the key ring. The file paths to this client certificate and its private key would then be added to the remote manager's configuration via the CERTIFICATE and PRIVATE_KEY options.

To secure connections between a z/OS Universal Agent Server component (i.e., UAGSRV) and a remote OMS Server, the exported CA and trusted client certificates may also need to be added to the Universal Broker's configuration on the OMS Server system.

The CA certificate must be distributed to the remote systems from which Universal Agent managers are executed. The managers must be configured with the CA certificate in their list of Trusted CA certificates using the CA_CERTIFICATES configuration option.
 
The CA certificate is exported out of the RACF data base into a data set in a PEM (or base64) format with the following RACDCERT command:
 


Panel
RACDCERT CERTAUTH EXPORT (LABEL('Company CA')) +
   DSN(TEST.CA.CERT) FORMAT(CERTB64)

 
Change the label to match the value used in previous steps.
 
The tsoprefix.TEST.CA.CERT data set contains a PEM formatted certificate. The format is a text format that transfers safely across the network in text mode.
 
Note that the CA private key is not exported. The CA certificate does not contain any private data.