//** //RINGL EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * RACDCERT LISTRING(*) ID(certificate_owner) END /*
//** //CERTUSR EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * RACDCERT LIST ID(certificate_owner) END /*
//** //CERTAUTH EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * RACDCERT ID(certificate_owner) GENCERT - SUBJECTSDN ( - O('YourOrganization') - CN('certificate_owner.servername.yourdomain.com') - OU('zOS.Admin') - C('GB') - ) - WITHLABEL('CERTUSRPCCert')- SIGNWITH(CERTAUTH LABEL('LOCALCA')) /*
Attribute
| RACDCERT GENCERT Parameter and Notes
|
---|---|
Key size in bits
|
Default is 1024.
Setting a value higher than 1024 might be prevented by RACF or United States export regulations.
|
Distinguished name
|
|
Message digest
| default is sha1.
|
Expiration date
| NOTAFTER(
yyyy -mm -dd )
Default is 12 months from the current date.
|
Certificate Authority
| If the certificate is signed by a recognized CA, the label reflects the name of the CA.
|
RACDCERT GENCERT Parameter
| Usage
|
---|---|
WITHLABEL
| Used during the export of the certificate to DER format.
Will be available in the PEM certificate under " Bag Attributes - friendlyName: "
|
SIGNWITH
| Specifies the certificate with a private key that is signing the certificate.
The default is to sign with the private key of the certificate being generated, thus creating a self-certified certificate. This default is appropriate for certificate authority certificates but not useful with personal certificates.
|
IRRD175I The new profile for DIGTCERT will not be in effect until a SETROPTS REFRESH has been issued.
SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH "
//** //CERTAUTH EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * RACDCERT EXPORT(LABEL('CERTUSRPCCert1')) - DSN('certificate_owner.PCCERT1.DER.P12') - PASSWORD('USRPWD') - FORMAT(PKCS12DER) END /*
Parameter
| Description
|
---|---|
LABEL
| Identifies the certificate. Must match the WITHLABEL parameter in the RACDCERT GENCERT command.
|
DSN
| Identifies the output data set name in PKCS12 DER format. The data set will be dynamically allocated DCB values RECFM=VB, LRECL=84. The data set does not need to be deleted or pre-allocated.
|
PASSWORD
| Temporary password that needs to be remembered and input to the openssl pkcs12 -clcerts command that you issue in step 8.
|
FORMAT
| PKCS12DER
|
pwxussl cmd=CONVERT_CERT_PKCS12_PEM verbose=Y INFILE=E:\_MYDETAIL\SSLCerts\Exported\certificate_owner.PCCERT1.DER.P12 pwd=pwdOUT_FILE=E:\_MYDETAIL\SSLCerts\Exported\RACFEXPkey.pem
PWX-37129 MONITOR statistics switched off for process PWXUSSL Processing console program. pwxussl cmd=CONVERT_CERT_PKCS12_PEM verbose=Y INFILE=E:\_MYDETAIL\SSLCerts\Exported\certificate_owner.PCCERT1.DER.P12 PWD=pwdOUT_FILE=E:\_MYDETAIL\SSLCerts\Exported\RACFEXPkey.pem Importing PKCS12 file into memory X509 objects ---------------------------------------------- Opening file 'E:\_MYDETAIL\SSLCerts\Exported\SSL.RACFEXP.STQA.CERT1.DER.PKCS12' Calling d2i_PKCS12_fp() Closing input file Calling PKCS12_parse() PKCS12 contains 1 CA certificates Exporting X509 objects to PEM file ---------------------------------- Opening output file 'E:\_MYDETAIL\SSLCerts\Exported\RACFEXPkey.pem' Writing subject identification certificate Writing Encrypted Private Key Encoding private key using input password Writing CA certificate 1 Closing output file CONVERT_CERT_PKCS12_PEM ended OK
c:\openSSL\bin\openssl.exe pkcs12 -clcerts -in K:\sslCertificates\abc890_2\PCCert1\certificate_owner.PCCERT1.DER.P12 -out K:\sslCertificates\abc890_2\PCCert1\RACFEXPkey.pem Enter Import Password:
xxxxxx MAC verified OK Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
SSL Parameter
| Value
|
---|---|
KEY
| Output file from step 8
|
PASS
| Permanent password from step 8
|
DTLREXE PROG=PING LOC=NODE1SSL => PWX-00750 DTLREXE Input LOC=NODE1SSL, PROG=PING, PARMS=<null>, UID=<>. PWX-00755 DTLREXE Command OK!
PWX-00591 Tasks now active = 1. PWX-00656 Port 16495 is running in SSL mode PWX-00652 [127.0.0.1]:1501 : TCP/IP SSL Error, rc=-1, reason <SSL_Socket_Open fa iled: 1239336> PWX-31023 Open secure socket failed PWX-31045 Certificate 1 does not verify. rc=21 "X509_V_ERR_UNABLE_TO_VERIFY_LEAF _SIGNATURE". PWX-31045 Certificate 1 does not verify. rc=27 "X509_V_ERR_CERT_UNTRUSTED". PWX-31045 Certificate 1 does not verify. rc=20 "X509_V_ERR_UNABLE_TO_GET_ISSUER_ CERT_LOCALLY". PWX-31044 Certificate 1. Machine 'Local Client'. Type 'CA3: Self-signed X509 V1'. Start '2014-12-11 18:37:49 GMT'. End '2042-04-27 18:37:49 GMT'. Subject '/emailAddress=myuid1@machine1'. Issuer '/emailAddress=myuid1@machine1'. PWX-00591 Tasks now active = 0.
DTLREXE PROG=PING LOC=pccertSSL => PWX-00750 DTLREXE Input LOC=pccertSSL, PROG=PING, PARMS=<null>, UID=<>. PWX-00752 DTLREXE Startup Error <Failed Client Connect RCs=1217/0/0>. PWX-00652 [127.0.0.1]:1516 : TCP/IP SSL Error, rc=31045, reason <SSL_Socket_Open fa iled: 31045> PWX-31045 Certificate 1 does not verify. rc=21 "X509_V_ERR_UNABLE_TO_VERIFY_LEAF _SIGNATURE". PWX-31045 Certificate 1 does not verify. rc=27 "X509_V_ERR_CERT_UNTRUSTED". PWX-31045 Certificate 1 does not verify. rc=20 "X509_V_ERR_UNABLE_TO_GET_ISSUER_ CERT_LOCALLY". PWX-31044 Certificate 1. Machine z390a Type CA3: Self-signed X509 V1 Start date 100811000000Z. End date 110811235959Z. Subje ct /C=GB/O=INFORMATICA/OU=DEVELOPMENT/CN=certificate_owner.GBW170701.INFORMATICA.COM. Issuer /C=GB/O=Informatica/OU=zOS.Admin/CN=irrcerta.z390a.informatica.com.
SSL=(KEY=
SSL=(CALIST=