Using Digital Certificates › Digital Certificates and CA ACF2 › Add a Business Partner's CA ACF2 Digital Certificate

Add a Business Partner's CA ACF2 Digital Certificate

If you are running CA ACF2 at your site and you receive a digital certificate that was generated by a business partner using CA ACF2, CA Top Secret, or IBM Security Server RACF, use the following sample commands to define and add the certificate to the user task and CA Tape Encryption started task on your system.

If the remote security system is not using CA ACF2, CA Top Secret, or IBM Secure Server RACF, ensure that the certificate is a DER encoded X.509 certificate that is in Base64 format (CERTB64).

Note: The sample commands in this example may vary at your site depending on your naming conventions and environment. Adjust the commands according to your site standards and environment.

To add a business partner's digital certificate using CA ACF2

1. Import the self-signed CA Tape Encryption digital certificate into CA ACF2 as shown in the following example:

   INSERT BES.TAPEREAD  DSN('BES.TAPE.ENCRYPT.STC.CERT') LABEL(BESCERT)
   

   In this example, BES is the CA Tape Encryption started task and BES.TAPEREAD is the digital certificate name in CA ACF2. If the started task name differs, change BES.TAPEREAD to xxxxxxx.TAPEREAD where xxxxxxx is the name of your CA Tape Encryption started task.

   The LABEL parameter must match what you specify on the BES= string on the system the tape was created on. This example inserts a certificate with label BESCERT, which corresponds to the following BES= string on the system the tape was created on:

   BES=(RSA(BTERING):BESCERT,AES128)
   

   The digital certificate from the business partner is imported into CA ACF2.

2. Create the CA Tape Encryption key ring and connect the certificate to it as shown in the following example:

   SET PROFILE(USER) DIV(KEYRING)
   INSERT BES.RING RINGNAME(BESRING)
   CONNECT CERTDATA(BES.TAPEREAD) KEYRING(BES.RING) DEFAULT
   

   In this example, BES is the CA Tape Encryption started task and BES.TAPEREAD is the digital certificate profile name in CA ACF2. If the started task name differs, change BES.TAPEREAD on the CONNECT command to xxxxxxx.TAPEREAD where xxxxxxx is the name of your CA Tape Encryption started task.

   The CA Tape Encryption key ring is created and the certificate is connected to it.

3. Authorize the CA Tape Encryption started task to be able to read certificates from the key ring as shown in the following example:

   SET RESOURCE(FAC)
   RECKEY IRR ADD(DIGTCERT.LIST UID(bes_uid) SERVICE(READ) ALLOW)    
   RECKEY IRR ADD(DIGTCERT.LISTRING UID(bes_uid) SERVICE(READ) ALLOW)
   

   • Specify the CA-ACF2 UID value of the CA started task in both RECKEY commands.
   • READ access to IRR.DIGTCERT.LISTRING is required to retrieve certificates from a keyring that you own (for example, BES.RING).
   • UPDATE access to IRR.DIGTCERT.LISTRING is required to retrieve certificates from a keyring that another user owns.
   • If the CA Encryption Key Manager is being used, CONTROL access is required to IRR.DIGTCERT.LIST and UPDATE access is required to IRR.DIGTCERT.LISTRING.

   The CA Tape Encryption started task is now authorized to read the certificates from the key ring.

Note: For more information about the commands in the example, see the CA ACF2 documentation.