|
|
|
The following example shows how a business partner can set up CA Tape Encryption with self-signed digital certificates generated by IBM Security Server RACF and transmit them to the organization that will create the encrypted tape.
Note: The sample commands in this example may vary at your site depending on your naming conventions and environment. Adjust the commands according to your site standards and environment.
To generate a digital certificate with IBM Security Server RACF
RACDCERT ID(BES) GENCERT
SUBJECTSDN(CN('BES certificate') O('organization'))
SIZE(1024) WITHLABEL('BESCERT')
In this example, BES is the CA Tape Encryption started task region user ID, and BESCERT is the digital certificate name in RACF.
The digital certificate is generated.
RACDCERT ID(BES) ADDRING(BESRING)
The key ring is created.
RACDCERT ID(BES) CONNECT(LABEL('BESCERT') RING(BESRING))
The certificate is added to the key ring.
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) - ID(BES) ACCESS(UPDATE) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) - ID(BES) ACCESS(UPDATE) PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) - ID(BES) ACCESS(UPDATE)
Note: If the CA Encryption Key Manager is being used, CONTROL access is required to IRR.DIGTCERT.GENCERT and UPDATE access is required to IRR.DIGTCERT.LISTRING.
The CA Tape Encryption started task now has the appropriate permissions.
RACDCERT ID(BES) EXPORT(LABEL('BESCERT')) -
DSN('BES.TAPEENCRYPTION.CERT') FORMAT(CERTDER)
The RACDCERT EXPORT command creates an industry standard, transportable digital certificate.
Note: The data set does not need to be formatted. It is automatically created and cataloged.
The certificate is exported.
The certificate is transferred.
Note: For more information about the commands in the example, see IBM's z/OS Security Server RACF Command Language Reference.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |