Using Digital Certificates › Digital Certificates and CA ACF2 › Generate Digital Certificates with CA ACF2

Generate Digital Certificates with CA ACF2

The following example shows how a business partner can set up CA Tape Encryption with self-signed digital certificates generated by CA ACF2. This lets you send your public key to the site that creates the tape so that it can be used for encryption purposes.

Note: The sample commands in this example may vary at your site depending on your naming conventions and environment. Adjust the commands according to your site standards and environment.

To generate a digital certificate with CA ACF2

1. Generate the CA Tape Encryption digital certificate with the GENCERT command as shown in the following example:

   SET PROFILE(USER) DIV(CERTDATA)
   GENCERT BES.TAPECRE8 SUBJ(cn='common-name' OU='org-unit' -            
                    O='organization' L='location' ST='state' C='US') - 
                    LABEL(BESCERT) -                                 
                    EXPIRE(mm/dd/yy)              
   

   • In this example, BES is the CA Tape Encryption started task and BES.TAPECRE8 is the digital certificate profile name in CA ACF2. If the started task name differs, change BES.TAPECRE8 to xxxxxxx.TAPECRE8 where xxxxxxx is the name of your CA Tape Encryption started task.

     Note: Even if you plan to run multiple started tasks, the started task names will all be the same.

   • Tailor the GENCERT SUBJ parameters as needed for your company or organization. Change mm/dd/yy in the EXPIRE parameter to a valid expiration date.
   • Tailor the LABEL parameter to match what you specify on the BES= string. The certificate LABEL parameter is case-sensitive. Because the DFSMS data class editor forces the BES= parameter in the description field to uppercase, the LABEL name you choose must be specified as all uppercase in order to match. This example creates a certificate with the label BESCERT, which corresponds to the following BES= string:

     BES=(RSA(BTERING):BESCERT,AES128)
     

   The digital certificate is generated.

2. Create the CA Tape Encryption key ring and connect the certificate to it as shown in the following example:

   SET PROFILE(USER) DIV(KEYRING)                      
   INSERT BES.RING RINGNAME(BESRING)                   
   CONNECT CERTDATA(BES.TAPECRE8) KEYRING(BES.RING) DEFAULT
   

   • In this example, the CA Tape Encryption started task is named BES. If the started task name differs, change BES.RING to xxxxxxx.RING where xxxxxxx is the name of your CA Tape Encryption started task. Change BES.TAPECRE8 on the CONNECT command to xxxxxxx.TAPECRE8 where xxxxxxx is the name of your CA Tape Encryption started task.
   • Tailor the RINGNAME parameter on the INSERT command. The RINGNAME parameter you specify in this step must match the value of the KeyRingName attribute in your parmlib. Since the SMS Data Class editor forces the description field to upper case, the RINGNAME you choose must be specified as all upper case in order to match.
   • In this example, BESRING is the key ring name that corresponds to the value of the KeyRingName attribute in the parmlib member, as shown in the following sample:

     <B2BKeyrings>                                             
       ShareRingAlias = BTEring                                
     

     <BTEring>                                                 
       KeyRingName = 'BESRING'                                 
       B2BRSAKeepHours=8                                       
     

     The key ring RINGNAME is case-sensitive and must exactly match the value of the KeyRingName attribute in your CA Tape Encryption parmlib.

     A CA Tape Encryption key ring is created and the certificate is attached to it.

3. Authorize the CA Tape Encryption started task to be able to read certificates from the key ring as shown in the following example:
4. SET RESOURCE(FAC)

   RECKEY IRR ADD(DIGTCERT.LIST UID(bes_uid) SERVICE(READ) ALLOW)   
   RECKEY IRR ADD(DIGTCERT.LISTRING UID(bes_uid) SERVICE(READ) ALLOW)
   

   • Specify the CA-ACF2 UID value of the CA Tape Encryption started task in both RECKEY commands.
   • READ access to IRR.DIGTCERT.LISTRING is required to retrieve certificates from a key ring that you own, for example, BES.RING.
   • UPDATE access to IRR.DIGTCERT.LISTRING is required to retrieve certificates from a key ring that another user owns.
   • If the CA Encryption Key Manager is being used, CONTROL access is required to IRR.DIGTCERT.LIST and UPDATE access is required to IRR.DIGTCERT.LISTRING.

   The CA Tape Encryption started task can now read the certificates from the key ring.

5. Export the self-signed CA Tape Encryption started task certificate as shown in the following example.

   EXPORT BES.TAPECRE8 DSN('BES.TAPE.ENCRYPT.STC.CERT')
   

   The certificate is exported. The EXPORT command creates an industry standard, transportable digital certificate. This allows you to transmit the certificate to another site where the tape will be read.

6. Transfer the data set BES.TAPE.ENCRYPT.STC.CERT to the site that will be creating the tape using FTP, email, or any normal means.

Note: For more information about the commands in the example, see the CA ACF2 Security for z/OS Administrator Guide.