How to define a midrange self signed certificate and get it into z/OS

TLS 2 Minutes

Although I disapprove of using self signed certificates, (it is like having a secure lock on one door, but you leave another door open).   Sometimes there is a need to use one on the journey to using signed certificates – just to get the environment working.

Create the certificate on Linux

On Linux, I set up a bash script to create the self signed certificate.  (I used a bash script so I can parametrize values, and “name” is used in many places.)

subj=’-subj /C=GB/O=SSS/CN=SS’
addext=’-addext keyUsage=keyCertSign,digitalSignature ‘
name=’ss’
passwords=”

#remove the old files for this cert
rm $name.pem $name.key.pem $name.p12

#create the  certificate and the private key
openssl req -x509 -newkey rsa:4096 -nodes -out $name.pem -keyout $name.key.pem $subj $addext

 

#Compine the two files into a p12 (PKCS12) file.
openssl pkcs12 -export -inkey $name.key.pem -in $name.pem -out $name.p12 -name $name $passwords

#display it
openssl x509 -in $name.pem -text -noout|less

This creates the certificate file, the key file and a .p12 file to be used by my application.

FTP the certificate file, ss.pem, to z/OS as text.  Once you have FTPed the file, check the first line is “—–BEGIN CERTIFICATE—–“

Add it to RACF

 

//IBMRACF JOB 1,MSGCLASS=H 
//S1 EXEC PGM=IKJEFT01,REGION=0M 
//SYSPRINT DD SYSOUT=* 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD * 
RACDCERT DELETE (LABEL('MYSS')) ID(START1) 
SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh 

RACDCERT ADD('IBMUSER.MY.SS.PEM') - 
  ID(START1) WITHLABEL('MYSS') 

/* connect it to START1.TRUSTRING
RACDCERT ID(START1) CONNECT(RING(TRUSTRING ) -
    USAGE(CERTAUTH)  - 
    ID(START1) LABEL('MYSS') )  

racdcert list (label('MYSS')) CERTAUTH 

racdcert listring(TRUSTRING) id(start1) 

SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh 
/*

The list command gave

Digital certificate information for START1:
Label: MYSS 
  Certificate ID: 2QiJmZmDhZmjgcTB1eLi 
  Status: TRUST 
  Start Date: 2021/01/18 14:14:38 
  End Date: 2021/02/17 14:14:38 
  Serial Number: 
    >73CB2B49D0E56BBEAA95EC8EA01FCCC549A97BA8<   
Issuer's Name: 
  >CN=SS.O=SSS.C=GB< 
Subject's Name: 
  >CN=SS.O=SSS.C=GB< 
Signing Algorithm: sha256RSA 
Key Type: RSA 
Key Size: 4096 
Private Key: NO 
Ring Associations: 
  Ring Owner: START1 
  Ring: 
    >TRUSTRING<

You can see this does not have the private key.   The issuer’s name matches the Subject’s name, so this shows it is self signed.

Restart your web server to pick up the changes to the trust keyring.

Change your client to point to the .p12 file, and specify the password.

-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.keyStore=/home/colin/checkTLS/ss.p12
-Djavax.net.ssl.keyStoreType=pkcs12

Restart your client.

Other ways of creating your client certificate

Above I used

openssl req -x509 -newkey rsa:4096 -nodes -out $name.pem -keyout $name.key.pem $subj $addext

to create a request.   This is actually two operations

  1. Create a private key
  2. Create a certificate

For some combination of parameters it may be easier to do this in two steps

Create the private key.  This creates a private key using an elliptic curve.

openssl ecparam -name secp384r1 -genkey -noout -out $name.key.pem

Create the certificate using the private key

openssl req -config eccert.config -passin password -sha384 -new -key $name.key.pem -out $name.csr -outform PEM -subj “/C=GB/O=cpwebuser/CN=”$name $password

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it!

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s