Configure
ACF2
Security

Follow these steps to configure iDash to use
ACF2
security.
ca712
This section assumes you have completed the steps that are documented under ‘Prepare Certificates for External Security’. Remember, you are loading a minimum of three certificates (more if you do fail over) in your external security product.
  1. CA 7
    Server for iDash Certificate Authority (CA) certificate
  2. CA 7
    Server of iDash Server certificate
  3. iDash
    Server certificate (exported using the keytool utility)
Follow these steps to configure
iDash
to use
ACF2
security:
  1. Confirm you have completed the steps that are documented under ‘Prepare Certificates for External Security.’
  2. Create an
    ACF2
    keyring.
    SET PROFILE(USER) DIV(KEYRING) INSERT user1.ring RINGNAME(yourRingName)
    user1.ring
    Specifies the record ID
    Example:
    user1.ring
    RINGNAME(yourRingName)
    Specifies the name of the key ring. The ring name can contain mixed-case characters and special characters (!&*¬-%_?:=.). Blanks are not allowed.
    Limits:
      Up to 237 characters The key ring is created.
  3. Validate that your certificates are accepted by
    ACF2
    .
    SET PROFILE(USER) DIV(CERTDATA) CHKCERT DSN(‘
    your.mvs.cacert.name’
    ) password(
    exportpassword
    ) CHKCERT DSN(‘
    your.mvs.srvcert.name’
    ) password(
    exportpassword
    ) CHKCERT DSN(‘
    your.mvs.idashserver.cacert.name’
    )
  4. Add the
    CA 7
    Server for iDash Certificate Authority (CA) certificate to your
    ACF2
    database.
    SET PROFILE(USER) DIV(CERTDATA) INSERT CERTAUTH.
    yourcacertname
    DSN('
    your.mvs.cacert.name'
    ) LABEL(
    your label description
    ) PASSWORD(
    pswd
    )
    yourcacertname
    Specifies your
    CA 7
    Server for iDash Certificate Authority (CA) certificate name
    Example:
    IDASHCA
    '
    your.mvs.cacert.name
    '
    Specifies the name of the sequential data set where the CA certificate was uploaded
    your label description
    Specifies a 32-character label to be associated with the CA certificate. The label can contain blanks and mixed-case characters. Quotes are not allowed. If a label is not specified, the label field defaults to the uppercase version of the logonid that was specified.
    Example:
    IDASHCA
    pswd
    The password that was used to store the certificate in the gskkyman database. This field may be optional.
  5. Add the
    CA 7
    Server for iDash Server certificate to your
    ACF2
    database.
    SET PROFILE(USER) DIV(CERTDATA) INSERT user1.
    yourservercertname
    DSN('
    your.mvs.srvcert.name'
    ) LABEL(
    your label description
    ) - TRUST PASSWORD
    (pswd
    )
    yourservercertname
    Specifies your
    CA 7
    Server for iDash Server certificate name
    Example:
    user1.IDASHCA
    '
    your.mvs.srvcert.name
    '
    Specifies the name of the sequential data set where the Server certificate was uploaded
    your label description
    Specifies a 32-character label to be associated with the Server certificate. The label can contain blanks and mixed-case characters. Quotes are not allowed. If a label is not specified, the label field defaults to the uppercase version of the logonid that was specified.
    Example:
    IDASHSRV
    pswd
    The password that was used to store the certificate in the gskkyman database. This field may be optional.
  6. Add the
    iDash
    Server certificate to your
    ACF2
    database.
    SET PROFILE(USER) DIV(CERTDATA) INSERT user1.
    youriDashservercacertname
    DSN(‘
    your.mvs.idashserver.cacert.name’
    ) LABEL(
    your label description
    ) TRUST
    youriDashservercacertname
    Specifies your
    iDash
    Certificate Authority (CA) certificate name
    Example:
    user1.IDASHCL1
    '
    your.mvs.idashserver.cacert.name
    '
    Specifies the name of the sequential data set where the
    iDash
    CA certificate was uploaded
    your label description
    Specifies a 32-character label to be associated with the
    iDash
    Server certificate. The label can contain blanks and mixed-case characters. Quotes are not allowed. If a label is not specified, the label field defaults to the uppercase version of the logonid that was specified.
    Example:
    IDASHCL1
  7. Alter the server certificates to mark them as trusted, if necessary.
    SET PROFILE(USER) DIV(CERTDATA) CHANGE user1.
    yourservercertname
    TRUST CHANGE user1.
    youriDashservercacertname
    TRUST
  8. Connect the certificates to the key ring.
    After you add the certificates to the
    ACF2
    database, connect all the certificates to the key ring.
    SET PROFILE(USER) DIV(KEYRING) CONNECT CERTDATA(user1.yourservercertname) KEYRING(user1.ring) USAGE(PERSONAL) DEFAULT CONNECT CERTDATA(user1.youriDashservercacertname) KEYRING(user1.ring) USAGE (PERSONAL) CONNECT CERTDATA(CERTAUTH.yourcacertname) KEYRING(user1.ring) USAGE(CERTAUTH)
    If you have another
    CA 7
    Server for iDash and/or
    iDash
    Server that you have set up for failover, you need to add those certificates to the
    ACF2
    database. You need to provide different DIGICERT names for these failover certificates.
  9. Grant user permissions for the non-shared certificates.
    Give user1 permission to read key rings and certificates as shown in this example:
    ACF SET RESOURCE(FAC) RECKEY IRR ADD(DIGTCERT.ADD UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.ADDRING UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.ALTER UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.CONNECT UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.LIST UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.LISTRING UID(user1) - SERVICE(READ) ALLOW)
  10. Activate the KEYRING and CERTDATA records:
    F ACF2,REBUILD(USR),CLASS(P) F ACF2,OMVS(CERTDATA) F ACF2,REBUILD(FAC)
(Optional) Post-Configuration Tasks
Debug Key Ring and Certificate Issues
The following ACF2 commands can be useful for identifying errors or failures that are related to your key ring or certificates. Use the following ACF2 commands to list the key ring and certificates to verify their existence and proper attributes.
  • To list the key ring for the user:
    SET PROFILE(USER) DIV(KEYRING) LIST user1.ring
  •   To list the certificate authority (CA) certificates:
    SET PROFILE(USER) DIV(CERTDATA) LIST CERTAUTH.yourcacertname
  • To list the server certificates:
    SET PROFILE(USER) DIV(CERTDATA) LIST user1.yourservercertname LIST user1.youriDashservercacertname
Replace an Expired Server Certificate
When a certificate expires, replace your existing certificate with a new one. The steps to replace an existing certificate with a new certificate are similar to the steps that you performed when obtaining and adding the certificates.
Follow these steps:
  1. Obtain one or more new certificates.
  2. Upload the certificates to z/OS.
  3. Delete the existing certificates from the
    Top Secret
    database so you can use the same labels for the new certificates.
    ACF SET PROFILE(USER) DIV(CERTDATA) DELETE user1.yourservercertname DELETE user1.youriDashservercacertname DELETE CERTAUTH.yourcacertname
  4. Add the new certificates and connect them to your key ring as previously described.