SSL Certificates
When the Analyzer is running with SYSTEM=SECURITY, you must have an SSL Certificate defined in your SAF/RACF® security system. You can either generate your own certificate, or connect to an existing certificate.
HZASANS2 in JCLLIB has sample JCL to
generate SSL certificates in RACF®.
//*********************************************************************
//* *
//* To enable FZVSAM Analyzer to use HTTP secure (HTTPS) the following *
//* steps should be implemented by your site's RACF Administrator: *
//* 1. Delete KEYRING(FZVSAM_KEYRING) and certificates with the *
//* labels FZVSAMCERT and LOCALCA. *
//* 2. Activate RACF Classes required for digital certificates. *
//* 3. Define Keyring FZVSAM_KEYRING. *
//* 4. Generate certificate. *
//* 5. Connect to Keyring. *
//* 6. Refresh RACF Classes required for digital certificates. *
//* 7. Permit access to the Facility Class profiles and refresh. *
//* *
//* *
//* The following JCL demonstrates a sample implementation: *
//* 1. Update all occurrences of "Userid-running-HSISANLO" to reflect *
//* your FZVSAM HTTPS environment. *
//* *
//* Do not change the RACF keyring 'FZVSAM_KEYRING' or label *
//* 'FZVSAMCERT' unless you update the corresponding values in Analyzer*
//* PARMLIB member HSISANP2 and restart the Analyzer STC/Job. *
//*-------------------------------------------------------------------*
//RACFDEF EXEC PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF NOPREF
RACDCERT DELETE(LABEL('LOCALCA')) CERTAUTH
RACDCERT DELETE(LABEL('FZVSAMCERT')) ID(Userid-running-HSISANLO)
RACDCERT ID(Userid-running-HSISANLO) DELRING(FZVSAM_KEYRING)
SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)
RACDCERT ID(Userid-running-HSISANLO) ADDRING(FZVSAM_KEYRING)
RACDCERT ID(Userid-running-HSISANLO) CERTAUTH GENCERT -
SUBJECTSDN( O('Your Organization') -
CN('Your Domain') -
C('US')) TRUST -
WITHLABEL('LOCALCA') -
KEYUSAGE(CERTSIGN)
RACDCERT ID(Userid-running-HSISANLO) GENCERT -
SUBJECTSDN (CN('FZVSAMCERT') -
OU('Your Dept.') -
C('US')) -
WITHLABEL('FZVSAMCERT') -
SIGNWITH(CERTAUTH -
LABEL('LOCALCA'))
RACDCERT ID(Userid-running-HSISANLO) -
CONNECT(ID(Userid-running-HSISANLO) -
LABEL('FZVSAMCERT') -
RING(FZVSAM_KEYRING) -
DEFAULT -
USAGE(PERSONAL))
RACDCERT ID(Userid-running-HSISANLO) -
CONNECT(ID(Userid-running-HSISANLO) CERTAUTH -
LABEL('LOCALCA') -
RING(FZVSAM_KEYRING) -
USAGE(CERTAUTH))
SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
/*
//PERMIT EXEC PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF NOPREF
RDEL FACILITY IRR.DIGTCERT.LIST
RDEL FACILITY IRR.DIGTCERT.LISTRING
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) -
ID(Userid-running-HSISANLO) AC(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) -
ID(Userid-running-HSISANLO) AC(READ)
SETR RACLIST(FACILITY) REFRESH
/* HZASANS3 in JCLLIB has sample JCL to
connect to existing SSL certificates in RACF®.
//*********************************************************************
//* *
//* To enable FZVSAM Analyzer to use HTTP secure (HTTPS) using an *
//* existing CA certificate, 'Entrust Secure Server Root CA' in our *
//* example, the following steps should be implemented by your site's *
//* RACF Administrator: *
//* *
//* 1. Delete KEYRING(FZVSAM_KEYRING) and certificate with the *
//* LABEL('FZVSAMCERT'). *
//* 2. Activate RACF Classes required for digital certificates. *
//* 3. Define Keyring FZVSAM_KEYRING. *
//* 4. Connect the existing CA certificate to the Keyring. *
//* 5. Refresh RACF Classes required for digital certificates. *
//* 6. Permit access to the Facility Class profiles. *
//* *
//* *
//* The following JCL demonstrates a sample implementation: *
//* 1. Update all occurrences of "Userid-running-HSISANLO" to reflect *
//* your FZVSAM HTTPS environment. *
//* *
//* Do not change the RACF keyring 'FZVSAM_KEYRING' or label 'FZVSAMCERT'
//* unless you update the corresponding values in Analyzer PARMLIB *
//* member HSISANP2 and restart the Analyzer STC/Job. *
//*-------------------------------------------------------------------*
//RACFDEF EXEC PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF NOPREF
RACDCERT DELETE(LABEL('FZVSAMCERT')) ID(Userid-running-HSISANLO)
RACDCERT ID(Userid-running-HSISANLO) DELRING(FZVSAM_KEYRING)
SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)
RACDCERT ID(Userid-running-HSISANLO) ADDRING(FZVSAM_KEYRING)
RACDCERT ID(Userid-running-HSISANLO) GENCERT -
SUBJECTSDN (CN('FZVSAMCERT') -
OU('Your Dept.') -
C('US')) -
WITHLABEL('FZVSAMCERT')
RACDCERT ID(Userid-running-HSISANLO) -
CONNECT(ID(Userid-running-HSISANLO) -
LABEL('FZVSAMCERT') -
RING(FZVSAM_KEYRING) -
DEFAULT -
USAGE(PERSONAL))
RACDCERT ID(Userid-running-HSISANLO) -
CONNECT(ID(Userid-running-HSISANLO) CERTAUTH -
LABEL('Entrust Secure Server Root CA') -
RING(FZVSAM_KEYRING) -
USAGE(CERTAUTH))
SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
/*
/*
//PERMIT EXEC PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF NOPREF
RDEL FACILITY IRR.DIGTCERT.LIST
RDEL FACILITY IRR.DIGTCERT.LISTRING
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) -
ID(Userid-running-HSISANLO) AC(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) -
ID(Userid-running-HSISANLO) AC(READ)
SETR RACLIST(FACILITY) REFRESH
/*