Using Digital CertificatesDigital Certificates and CA Top Secret › Generate Digital Certificates with CA Top Secret

Previous Topic: Digital Certificates and CA Top Secret

Next Topic: Add a Business Partner's Digital Certificate Using CA Top Secret

Generate Digital Certificates with CA Top Secret

The following example shows how a business partner can set up CA Tape Encryption with self-signed digital certificates generated by CA Top Secret and transmit them to the organization that will create the encrypted tape.

Note: The sample commands in this example may vary at your site depending on your naming conventions and environment. Adjust the commands according to your site standards and environment.

To generate a digital certificate with CA Top Secret

  1. Generate the CA Tape Encryption digital certificate with the TSS GENCERT command as shown in the following example: 
    TSS GENCERT(BES)  DIGICERT(BESCERT) -
SUBJECTN('o="COMPANYA" CN="BES certificate"  -
OU="SYSTEMS" C="US" ')

    In this example, BES is the CA Tape Encryption started task region accessor ID (ACID) and BESCERT is the digital certificate name in CA Top Secret.

    The CA Tape Encryption digital certificate is generated.

  2. Create the CA Tape Encryption started task KEYRING with the TSS ADD command as shown in the following example: 
    TSS ADD(BES) KEYRING(BESRING)  LABLRING(BESRING)

    Note: There are no blank spaces in the LABLRING portion of the command.

    The CA Tape Encryption started task KEYRING is created.

  3. Add the CA Tape Encryption started task's certificate to the CA Tape Encryption started task's KEYRING with the TSS ADD command as shown in the following example: 
    TSS ADD(BES) KEYRING(BESRING) RINGDATA(BES, BESCERT) - USAGE(PERSONAL)

    The CA Tape Encryption started task's certificate is added to the key ring.

  4. Permit the CA Tape Encryption started task's region ACID to the SSL KEYRING, certificates, and mappings with the TSS PERMIT as shown in the following example: 
    TSS PER(BES) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
TSS PER(BES) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
TSS PER(BES) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)

    Note: If the CA Encryption Key Manager is being used, CONTROL access is required to IRR.DIGTCERT.GENCERT and UPDATE access is required to IRR.DIGTCERT.LISTRING.

    The CA Tape Encryption started task's region ACID now has the appropriate permissions.

  5. Export the CA Tape Encryption started task's certificate public key to a data set with the TSS EXPORT command as shown in the following example: 
    TSS EXPORT(BES)  DIGTCERT(BESCERT) DCDSN('BES.STARTED.TASK.CERT')

    The TSS EXPORT command creates an industry standard, transportable digital certificate.

    Note: The data set does not need to be formatted. It is automatically created and cataloged.

    The certificate is exported.

  6. Transfer the data set BES.STARTED.TASK.CERT to the site that will be creating the tape, using FTP, email, or any normal means.

    The certificate is transferred.

Note: For more information about the commands in the example, see the CA Top Secret Security for z/OS Cookbook.