Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. Appendix A: DTL__CAPXTIMESTAMP Time Stamps
  15. Appendix B: PowerExchange Glossary

Creating a Personal Certificate with OpenSSL

Creating a Personal Certificate with OpenSSL

To create a personal or subject identification certificate, issue the OpenSSL req and x509 commands, and then concatenate the two files that these commands create.
Alternatively, you can create a personal certificate using one of the following methods:
  • Export an existing Windows certificate, and convert it to .pem format using OpenSSL.
  • Generate a personal certificate on the mainframe using RACF, export the certificate, and convert it to .pem format using OpenSSL.
To create a personal certificate using OpenSSL, perform the following actions:
  1. If the OpenSSL program is not already running, enter the following command at the command prompt:
    openssl
    The OpenSSL> prompt appears.
  2. To generate a private key and a request for a personal certificate, issue the OpenSSL req command:
    OpenSSL> req -newkey rsa:2048 -sha1 -keyout
    personalkey
    .pem -out
    subjectidreq
    .pem
    -newkey rsa:2048
    Requests a new certificate request and a 2048-bit RSA private key.
    -sha256
    Specifies to use the SHA-256 hash function (message digest) to sign the request.
    -keyout
    personalkey
    .pem
    File name to which to write the private key for the personal certificate.
    -out
    rootreq
    .pem
    File name to which to write the certificate request for the personal certificate.
  3. At the prompt for a pass phrase, enter the pass phrase that you provided when you created the CA certificate.
  4. At the prompt for a PEM pass phrase, enter a second pass phrase. You will specify this pass phrase in the PASS= parameter of the SSL statement in the DBMOVER configuration file.
  5. Respond to the series of prompts that OpenSSL displays. You can use the same responses that you provided for the CA certificate request.
  6. To generate a personal certificate, issue the OpenSSL x509 command:
    OpenSSL> x509 -req -in
    personalreq
    .pem -sha1 -CA
    rootcert
    .pem -CAkey
    rootkey
    .pem -CAcreateserial -out
    personalcert
    .pem
    -req
    Specifies that the input is a certificate request, rather than a certificate.
    -in
    personalreq
    .pem
    Name of the input certificate request file that you created in the previous step.
    -sha256
    Specifies to use the SHA-256 hash function (message digest) to sign the request.
    -CA
    rootcert
    .pem
    File name of the CA root certificate that you created in the previous step.
    -CAkey
    rootkey
    .pem
    Specifies to use the CA private key that you created in the previous step to sign this certificate.
    CAcreateserial
    Creates the CA serial number file.
    -out
    personalcert
    .pem
    File name to which to write the subject identification certificate.
  7. Concatenate the personal key and personal certificate.
    On Windows, enter the following command:
    type
    personalcert
    .pem
    personalkey
    .pem >
    personalcertkey
    .pem
    On Linux or UNIX, enter the following command:
    cat
    personalcert
    .pem
    personalkey
    .pem >
    personalcertkey
    .pem
    This step creates the file
    personalcertkey
    .pem. Specify this value in the KEY= parameter of the SSL statement in the DBMOVER configuration file.