Someone contacted me saying that they had a z/OS application which was trying to access a remote server using TLS, but the connection was failing because the incoming certificate could not be validated.
Or or to put it another way, a certificate and its CA arrived at my system; how do I get the CA into my keyring to allow validation.
One way of getting the certificate is to use a browser. I used chrome.
- enter the URL and press enter. It should display a page with a padlock at the front of the URL
- click on this padlock
- it should say “connection is secure”
- click on “certificate is valid”, it displays certificate information
- click on details. It should list the certificate and any CA certificates
- click on the CA of interest
- click Export and save the file (as base 64 encoded ASCII)
- this will create a file containing —–BEGIN CERTIFICATE—– … —–END CERTIFICATE—–
- check that this CA certificate is valid, and does not belong to a bad guy
- upload this to a sequential file on z/OS
- “check” it
//COLRACFI JOB 1,MSGCLASS=H
//S1 EXEC PGM=IKJEFT01,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT CHECKCERT('COLIN.IMPORT.CA.PEM')
- Add it to RACF database
RACDCERT CERTAUTH ADD(''COLIN.IMPORT.CA.PEM') -
WITHLABEL('MYBANK.CA') TRUST
- connect it to the keyring, CICSID/CICSRING
RACDCERT CONNECT(CERTAUTH LABEL('MYBANK.CA') -
RING(CICSRING) USAGE(CERTAUTH)) ID(CICSID)
ColinPaice 