I wanted to connect some clients to my z/OS queue manager over a TLS channel. This post describes how I set up the z/OS keyring with the certificates.
Define the keyring.
The CSQ9 CHINIT runs with a userid of START1, so I defined a keyring belonging to that id.
I set up a dataset called IBM.MQCSQ9.KEYRING to keep all of my JCL in for the CSQ9 queue manager. This makes it easier to clone the definitions for another queue manager.
The definitions create the keyring, and add the z/OS CA certificate (CERTAUTH ADCD_CA) to it.
//IBMRACF JOB 1,MSGCLASS=H
//* Use JCL for the RACF definitions
//S1 EXEC PGM=IKJEFT01,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/*RACDCERT DELRING(MQRING) ID(START1)
RACDCERT ADDRING(MQRING) ID(START1)
RACDCERT ID(START1 ) -
CONNECT(RING(MQRING) LABEL('ADCD-CA') CERTAUTH)
SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh
Define the queue manager’s certificate. This uses an Elliptic curve with key size of 256.
/*RACDCERT ID(START1) DELETE(LABEL('CSQ9CERT'))
RACDCERT ID(START1) GENCERT -
SUBJECTSDN(CN('CSQ9CERT') -
O('ADCD') -
OU('TEST')) -
SIZE(256) -
NISTECC -
SIGNWITH (CERTAUTH LABEL('ADCD-CA')) -
ALTNAME(IP(10.1.1.9)) -
NOTAFTER( DATE(2021-12-29))-
WITHLABEL('CSQ9CERT')
RACDCERT id(START1) ALTER(LABEL('CSQ9CERT'))TRUST
RACDCERT ID(START1) CONNECT(RING(MQRING) -
LABEL('CSQ9CERT') USAGE(PERSONAL))
RACDCERT LISTRING(MQRING) ID(START1)
RACDCERT LIST(LABEL('CSQ9CERT' )) ID(START1)
SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh
It need ALTNAME(IP(10.1.1.2)) ( or similar) because some browsers check this name, with the IP address of the server.
Configure the queue manager
%CSQ9 ALTER QMGR SSLKEYR(START1/MQRING) CERTLABL(CSQ9CERT)
Note if you use mixed case keyring you need to put the value in quotes.
Export the CA certificate from z/OS and sent to the client machine
RACDCERT CERTAUTH EXPORT(LABEL('ADCD-CA'))-
DSN('IBMUSER.CERT.ADCDCA.PEM') -
FORMAT(CERTB64) -
PASSWORD('password')
The data set IBMUSER.CERT.ADCDCA.PEM contained text, and the first line is —–BEGIN CERTIFICATE—– . Send this file to the client machine, for example using FTP. I sent it as zos.adcdca.pem.
Import this to the keystore
runmqakm -cert -add -file zos.adcdca.pem -type cms -stashed -db zzclient.kdb -label zosca
Upload the certificates from Linux to z/OS.
On Linux, my CA certificiate was in a *.pem file where the first line was —–BEGIN CERTIFICATE—–. Send this to z/OS. I used FTP.
Import the CA into the keyring.
The command adds an existing certificate CARSA1024 for userid START1. The CONNECT USAGE(CERTAUT) defines this as a CA certificate (without the need to have the certificate belong to CERTAUTH userid).
/*RACDCERT DELETE ( LABEL('CARSA1024')) ID(START1)
SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh
RACDCERT ADD('IBMUSER.CARS1024.PEM') -
ID(START1) WITHLABEL('CARSA1024')
RACDCERT ID(START1) CONNECT(RING(MQRING ) -
USAGE(CERTAUTH) -
ID(START1) -
LABEL('CARSA1024')
racdcert listring(MQRING ) id(start1)
SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh
Refresh the queue manager
%CSQ9 refresh security type(SSL)
ColinPaice 
2 thoughts on “Setting up the MQ keyring on z/OS”