Universal Broker Digital Certificate (RACF) Set-up

Owned by
Former user (Deleted)
Last updated: Nov 29, 2022 by
IT Stonebranch
Version comment
2 min read

Universal Broker Digital Certificate (RACF) Set-up

Setting up a digital certificate infrastructure in a production environment for the first time requires careful planning by the Security organization and Universal Agent administrator. The instructions provided on this page have been simplified for illustration purposes.

You work with RACF Digital Certificates using the RACF command RACDCERT. RACF profiles control access to the functions provided by RACDCERT.

The user profile with which the following commands are executed require either:

  • SPECIAL attribute
  • Appropriate access to the IRR.DIGTCERT.function profile in the FACILITY class.
    • READ access is required to IRR.DIGTCERT.function to issue RACDCERT commands for the executing user.
    • UPDATE access is required to IRR.DIGTCERT.function to issue RACDCERT commands for other users.
    • CONTROL access is required to IRR.DIGTCERT.function to issue RACDCERT command for SITE or CERTAUTH certificates.

The member UNVINDC in the INSTALL library contains the JCL to execute the RACF commands listed in the following steps.

Step 1

Create a Certificate Authority (CA) certificate and private key using the following RACDCERT command:
 

Change the subject and label names to meet local requirements.
 

Step 2

Create a certificate for the Universal Broker STC and sign it with the CA certificate created in Step 1 using the following RACDCERT command:
 

Change the subject and label names to meet local requirements. The subject's Common Name (CN) value should uniquely identify this instance of the broker in the enterprise.
 

Step 3

Create a certificate key ring for the user profile UBRUSR with the following RACDCERT command:
 

 

Step 4

Connect the CA certificate and the Universal Broker certificate to the key ring with the following RACDCERT command:
 

Change the labels to match the values used in previous steps.
 

Step 5

If the resource profile IRR.DIGTCERT.LISTRING in the FACILITY class is not defined, define it with the following RDEFINE command:
 

 

Step 6

Permit the Broker user profile UBRUSR READ access to the RACF profile IRR.DIGTCERT.LISTRING in the FACILITY class using the following PERMIT command:
 

 

Step 7

Modify the Universal Broker configuration member UBRCFG00 as follows:
 

 

Step 8

The CA certificate must be distributed to the remote systems from which Universal Agent managers are executed. The managers must be configured with the CA certificate in their list of Trusted CA certificates using the CA_CERTIFICATES configuration option.
 
The CA certificate is exported out of the RACF data base into a data set in a PEM (or base64) format with the following RACDCERT command:
 

 
Change the label to match the value used in previous steps.
 
The tsoprefix.TEST.CA.CERT data set contains a PEM formatted certificate. The format is a text format that transfers safely across the network in text mode.
 
Note that the CA private key is not exported. The CA certificate does not contain any private data.