SSL Certificates
When the Analyzer is running with SYSTEM=SECURITY, you must have an SSL Certificate defined in your SAF/RACF® security system. You can either generate your own certificate, or connect to an existing certificate.
HZASANS2 in JCLLIB has sample JCL to generate SSL certificates in RACF®.
//*********************************************************************
//* To enable ZAO Analyzer to use HTTP secure (HTTPS) the following *
//* steps should be implemented by your site's RACF Administrator: *
//* 1. Delete KEYRING(ZAO_KEYRING) and certificates with the *
//* labels ZAOCERT and LOCALCA. *
//* 2. Activate RACF Classes required for digital certificates. *
//* 3. Define Keyring ZAO_KEYRING. *
//* 4. Generate certificate. *
//* 5. Connect to Keyring. *
//* 6. Refresh RACF Classes required for digital certificates. *
//* 7. Permit access to the Facility Class profiles and refresh. *
//* *
//* *
//* The following JCL demonstrates a sample implementation: *
//* 1. Update all occurrences of "Userid-running-HZASANLO" to reflect *
//* your ZAO HTTPS environment. *
//* *
//* Do not change the RACF keyring 'ZAO_KEYRING' or label *
//* 'ZAOCERT' unless you update the corresponding values in Analyzer *
//* PARMLIB member HZASANP2 and restart the Analyzer STC/Job. *
//*-------------------------------------------------------------------*
//RACFDEF EXEC PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF NOPREF
RACDCERT DELETE(LABEL('LOCALCA')) CERTAUTH
RACDCERT DELETE(LABEL('ZAOCERT')) ID(Userid-running-HZASANLO)
RACDCERT ID(Userid-running-HZASANLO) DELRING(ZAO_KEYRING)
SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)
RACDCERT ID(Userid-running-HZASANLO) ADDRING(ZAO_KEYRING)
RACDCERT ID(Userid-running-HZASANLO) CERTAUTH GENCERT -
SUBJECTSDN( O('Your Organization') -
CN('Your Domain') -
C('US')) TRUST -
WITHLABEL('LOCALCA') -
KEYUSAGE(CERTSIGN)
RACDCERT ID(Userid-running-HZASANLO) GENCERT -
SUBJECTSDN (CN('ZAOCERT') -
OU('Your Dept.') -
C('US')) -
WITHLABEL('ZAOCERT') -
SIGNWITH(CERTAUTH -
LABEL('LOCALCA'))
RACDCERT ID(Userid-running-HZASANLO) -
CONNECT(ID(Userid-running-HZASANLO) -
LABEL('ZAOCERT') -
RING(ZAO_KEYRING) -
DEFAULT -
USAGE(PERSONAL))
RACDCERT ID(Userid-running-HZASANLO) -
CONNECT(ID(Userid-running-HZASANLO) CERTAUTH -
LABEL('LOCALCA') -
RING(ZAO_KEYRING) -
USAGE(CERTAUTH))
SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
/*
//PERMIT EXEC PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF NOPREF
RDEL FACILITY IRR.DIGTCERT.LIST
RDEL FACILITY IRR.DIGTCERT.LISTRING
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) -
ID(Userid-running-HZASANLO) AC(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) -
ID(Userid-running-HZASANLO) AC(READ)
SETR RACLIST(FACILITY) REFRESH
/*
HZASANS3 in JCLLIB has sample JCL to connect to existing SSL certificates in RACF®.
//*********************************************************************
//* * *
//* To enable ZAO Analyzer to use HTTP secure (HTTPS) using an *
//* existing CA certificate, 'Entrust Secure Server Root CA' in our *
//* example, the following steps should be implemented by your site's *
//* RACF Administrator: *
//* *
//* 1. Delete KEYRING(ZAO_KEYRING) and certificate with the *
//* LABEL('ZAOCERT'). *
//* 2. Activate RACF Classes required for digital certificates. *
//* 3. Define Keyring ZAO_KEYRING. *
//* 4. Connect the existing CA certificate to the Keyring. *
//* 5. Refresh RACF Classes required for digital certificates. *
//* 6. Permit access to the Facility Class profiles. *
//* *
//* *
//* The following JCL demonstrates a sample implementation: *
//* 1. Update all occurrences of "Userid-running-HZASANLO" to reflect *
//* your ZAO HTTPS environment. *
//* *
//* Do not change the RACF keyring 'ZAO_KEYRING' or label 'ZAOCERT'
//* unless you update the corresponding values in Analyzer PARMLIB *
//* member HZASANP2 and restart the Analyzer STC/Job. *
//*-------------------------------------------------------------------*
//RACFDEF EXEC PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF NOPREF
RACDCERT DELETE(LABEL('ZAOCERT')) ID(Userid-running-HZASANLO)
RACDCERT ID(Userid-running-HZASANLO) DELRING(ZAO_KEYRING)
SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)
RACDCERT ID(Userid-running-HZASANLO) ADDRING(ZAO_KEYRING)
RACDCERT ID(Userid-running-HZASANLO) GENCERT -
SUBJECTSDN (CN('ZAOCERT') -
OU('Your Dept.') -
C('US')) -
WITHLABEL('ZAOCERT')
RACDCERT ID(Userid-running-HZASANLO) -
CONNECT(ID(Userid-running-HZASANLO) -
LABEL('ZAOCERT') -
RING(ZAO_KEYRING) -
DEFAULT -
USAGE(PERSONAL))
RACDCERT ID(Userid-running-HZASANLO) -
CONNECT(ID(Userid-running-HZASANLO) CERTAUTH -
LABEL('Entrust Secure Server Root CA') -
RING(ZAO_KEYRING) -
USAGE(CERTAUTH))
SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
/*
/*
//PERMIT EXEC PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PROF NOPREF
RDEL FACILITY IRR.DIGTCERT.LIST
RDEL FACILITY IRR.DIGTCERT.LISTRING
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) -
ID(Userid-running-HZASANLO) AC(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) -
ID(Userid-running-HZASANLO) AC(READ)
SETR RACLIST(FACILITY) REFRESH
/*