|
|
|
The following sample JCL shows how to generate digital certificates with CA ACF2. Modify the sample to suit the needs of your site.
//JOBNAME JOB (00000000),'BTE SSL SETUP',NOTIFY=xxxxxxx,MSGCLASS=X 00010002
//*
//* Step 1: Generate the self-signed CA Tape Encryption
//* digital certificate
//*
//* Note: Tailor the GENCERT SUBJ parameters as needed for your
//* company or organization. Change "mm/dd/yy" in the EXPIRE
//* parameter to a valid expiration date.
//*
//* Tailor the LABEL parameter to match what you specify on
//* the BES= string. This example creates a certificate with
//* label "BESCERT" which corresponds to the following BES=
//* string:
//*
//* BES=(RSA(BTERING):BESCERT,AES128)
//*
//* This example assumes that your CA started task
//* is named "BES". If the started task name differs, change
//* "BES.TAPECRE8" to "xxxxxxx.TAPECRE8" where xxxxxxx is the name
//* of your CA started task.
//*
//BATCH1 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSIN DD *
GENCERT BES.TAPECRE8 SUBJ(cn='common-name' OU='org-unit' -
O='organization' L='location' ST='state' C=US) -
LABEL(BESCERT) -
EXPIRE(mm/dd/yy)
//*
//* Step 2: Create the CA Tape Encryption keyring
//* and connect the certificate to it
//*
//* Note: Tailor the RINGNAME parameter on the INSERT command.
//* The RINGNAME parameter you specify in this step must match
//* the "Keyringname" parameter in your PARMLIB. This example
//* uses "BESRING" which corresponds to the PARMLIB member
//* shown below:
//*
//* <B2BKeyrings>
//* ShareRingAlias = BTEring
//*
//* <BTEring>
//* Keyringname = 'BESRING'
//* B2BRSAKeepHours=8
//*
//* The keyring RINGNAME is case-sensitive and must match
//* the BTE PARMLIB "Keyringname" exactly.
//*
//* This example assumes that your CA started task
//* is named "BES". If the started task name differs, change
//* "BES.RING" to "xxxxxxx.RING" where xxxxxxx is the name
//* of your CA started task. Change "BES.TAPECRE8" on the
//* CONNECT command to "xxxxxxx.TAPECRE8" where xxxxxxx is the
//* name of your CA started task.
//*
//BATCH2 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSIN DD *
SET PROFILE(USER) DIV(KEYRING)
INSERT BES.RING RINGNAME(BESRING)
CONNECT CERTDATA(BES.TAPECRE8) KEYRING(BES.RING) DEFAULT
//*
//* Step 3: Authorize the CA Tape Encryption
//* started task to be able to read certificates
//* from the keyring
//*
//* Note: Specify the CA-ACF2 UID value of the CA started task
//* in both RECKEY commands.
//*
//* READ access to IRR.DIGTCERT.LISTRING is required to retrieve
//* certificates from a keyring that you own (i.e. BES.RING).
//*
//* UPDATE access to IRR.DIGTCERT.LISTRING is required to retrieve
//* certificates from a keyring that another user owns.
//*
//BATCH3 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSIN DD *
SET RESOURCE(FAC)
RECKEY IRR ADD(DIGTCERT.LIST UID(bes_uid) SERVICE(READ) ALLOW)
RECKEY IRR ADD(DIGTCERT.LISTRING UID(bes_uid) SERVICE(READ) ALLOW)
//*
//* Step 4: EXPORT the self-signed CA Tape Encryption started
//* task certificate. This is done so that it can be transmitted
//* to another site.
//*
//BATCH4 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSIN DD *
EXPORT BES.TAPECRE8 DSN('BES.TAPE.ENCRYPT.STC.CERT')
//*
//NOTIFY EXEC PGM=NOTIFY,COND=EVEN,PARM=XXXXXXX
//
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |