Configure ACF2 Security
ACF2
SecurityFollow these steps to configure iDash to use
ACF2
security.ca712
This section assumes you have completed the steps that are documented under ‘Prepare Certificates for External Security’. Remember, you are loading a minimum of three certificates (more if you do fail over) in your external security product.
- CA 7Server for iDash Certificate Authority (CA) certificate
- CA 7Server of iDash Server certificate
- iDashServer certificate (exported using the keytool utility)
Follow these steps to configure
iDash
to use ACF2
security:- Confirm you have completed the steps that are documented under ‘Prepare Certificates for External Security.’
- Create anACF2keyring.SET PROFILE(USER) DIV(KEYRING) INSERT user1.ring RINGNAME(yourRingName)
- user1.ring
- Specifies the record ID
- Example:user1.ring
- RINGNAME(yourRingName)
- Specifies the name of the key ring. The ring name can contain mixed-case characters and special characters (!&*¬-%_?:=.). Blanks are not allowed.
- Limits:Up to 237 characters The key ring is created.
- Validate that your certificates are accepted byACF2.SET PROFILE(USER) DIV(CERTDATA) CHKCERT DSN(‘your.mvs.cacert.name’) password(exportpassword) CHKCERT DSN(‘your.mvs.srvcert.name’) password(exportpassword) CHKCERT DSN(‘your.mvs.idashserver.cacert.name’)
- Add theCA 7Server for iDash Certificate Authority (CA) certificate to yourACF2database.SET PROFILE(USER) DIV(CERTDATA) INSERT CERTAUTH.yourcacertnameDSN('your.mvs.cacert.name') LABEL(your label description) PASSWORD(pswd)
- yourcacertname
- Specifies yourCA 7Server for iDash Certificate Authority (CA) certificate name
- Example:IDASHCA
- 'your.mvs.cacert.name'
- Specifies the name of the sequential data set where the CA certificate was uploaded
- your label description
- Specifies a 32-character label to be associated with the CA certificate. The label can contain blanks and mixed-case characters. Quotes are not allowed. If a label is not specified, the label field defaults to the uppercase version of the logonid that was specified.
- Example:IDASHCA
- pswd
- The password that was used to store the certificate in the gskkyman database. This field may be optional.
- Add theCA 7Server for iDash Server certificate to yourACF2database.SET PROFILE(USER) DIV(CERTDATA) INSERT user1.yourservercertnameDSN('your.mvs.srvcert.name') LABEL(your label description) - TRUST PASSWORD(pswd)
- yourservercertname
- Specifies yourCA 7Server for iDash Server certificate name
- Example:user1.IDASHCA
- 'your.mvs.srvcert.name'
- Specifies the name of the sequential data set where the Server certificate was uploaded
- your label description
- Specifies a 32-character label to be associated with the Server certificate. The label can contain blanks and mixed-case characters. Quotes are not allowed. If a label is not specified, the label field defaults to the uppercase version of the logonid that was specified.
- Example:IDASHSRV
- pswd
- The password that was used to store the certificate in the gskkyman database. This field may be optional.
- Add theiDashServer certificate to yourACF2database.SET PROFILE(USER) DIV(CERTDATA) INSERT user1.youriDashservercacertnameDSN(‘your.mvs.idashserver.cacert.name’) LABEL(your label description) TRUST
- youriDashservercacertname
- Specifies youriDashCertificate Authority (CA) certificate name
- Example:user1.IDASHCL1
- 'your.mvs.idashserver.cacert.name'
- Specifies the name of the sequential data set where theiDashCA certificate was uploaded
- your label description
- Specifies a 32-character label to be associated with theiDashServer certificate. The label can contain blanks and mixed-case characters. Quotes are not allowed. If a label is not specified, the label field defaults to the uppercase version of the logonid that was specified.
- Example:IDASHCL1
- Alter the server certificates to mark them as trusted, if necessary.SET PROFILE(USER) DIV(CERTDATA) CHANGE user1.yourservercertnameTRUST CHANGE user1.youriDashservercacertnameTRUST
- Connect the certificates to the key ring.After you add the certificates to theACF2database, connect all the certificates to the key ring.
If you have anotherSET PROFILE(USER) DIV(KEYRING) CONNECT CERTDATA(user1.yourservercertname) KEYRING(user1.ring) USAGE(PERSONAL) DEFAULT CONNECT CERTDATA(user1.youriDashservercacertname) KEYRING(user1.ring) USAGE (PERSONAL) CONNECT CERTDATA(CERTAUTH.yourcacertname) KEYRING(user1.ring) USAGE(CERTAUTH)CA 7Server for iDash and/oriDashServer that you have set up for failover, you need to add those certificates to theACF2database. You need to provide different DIGICERT names for these failover certificates. - Grant user permissions for the non-shared certificates.Give user1 permission to read key rings and certificates as shown in this example:ACF SET RESOURCE(FAC) RECKEY IRR ADD(DIGTCERT.ADD UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.ADDRING UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.ALTER UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.CONNECT UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.LIST UID(user1) - SERVICE(READ) ALLOW) RECKEY IRR ADD(DIGTCERT.LISTRING UID(user1) - SERVICE(READ) ALLOW)
- Activate the KEYRING and CERTDATA records:F ACF2,REBUILD(USR),CLASS(P) F ACF2,OMVS(CERTDATA) F ACF2,REBUILD(FAC)
(Optional) Post-Configuration Tasks
Debug Key Ring and Certificate Issues
- To list the key ring for the user:SET PROFILE(USER) DIV(KEYRING) LIST user1.ring
- To list the certificate authority (CA) certificates:SET PROFILE(USER) DIV(CERTDATA) LIST CERTAUTH.yourcacertname
- To list the server certificates:SET PROFILE(USER) DIV(CERTDATA) LIST user1.yourservercertname LIST user1.youriDashservercacertname
Replace an Expired Server Certificate
Follow these steps:
- Obtain one or more new certificates.
- Upload the certificates to z/OS.
- Delete the existing certificates from theTop Secretdatabase so you can use the same labels for the new certificates.ACF SET PROFILE(USER) DIV(CERTDATA) DELETE user1.yourservercertname DELETE user1.youriDashservercacertname DELETE CERTAUTH.yourcacertname
- Add the new certificates and connect them to your key ring as previously described.