Moving from WebSphere Application Server security to a z/OS … · 2020. 10. 19. · Moving from No...

Moving from WebSphere Application Server security to a z/OS security product

A WebSphere for z/OS V7.0step by step example

Keith Jabcuga Kawsar [email protected] [email protected]

WebSphere Software Support for z/OSPoughkeepsie, NY October 29, 2010

Doc ID: 7013154

IntroductionWebSphere Application Server for z/OS can be setup with either WebSphere Security or z/OS Security. After installing and configuring the application server with WebSphere security, an administrator may wish to make the switch over to using z/OS Security for an existing server.

This paper details the differences between WebSphere and z/OS Security, and provides the steps necessary to move from WebSphere Security to z/OS Security without having to reinstall or re-customize a new application server.

Before you beginPrior to attempting any of the configuration changes in this document, ensure that the WebSphere configuration file system (HFS/ZFS) has been backed up. In case any problems are encountered, the original configuration HFS/ZFS can be restored.

The steps in this document are presented as sections, and should be followed sequentially by section number. Depending on the current WebSphere configuration, some sections will not apply as indicated in list below:

Security OptionsDuring WebSphere V7.0 for z/OS installation, administrative security can be enabled during initial cell customization. This is also referred to as "security out of the box". The WebSphere Customization Tool (WCT) presents the following three options as shown in Figure 1: WCT - Administrative Security Selection

1. Use a z/OS security productThe z/OS security product manages users, groups, and the authorization policy.

2. Use WebSphere Application ServerWebSphere Application Server manages users, groups, and the authorization policy.

3. Do not enable security

Figure 1: WCT - Administrative Security Selection

Comparison of Security Options

Table 1: Security Comparison illustrates the differences in security setup based on the option chosen in the administrative security selection during WebSphere for z/OS installation.

z/OS Security WebSphere Application Server Security

No Security

Administrative Security True True False

Realm Local OS Federated Repositories Federated Repositories

Authorization System Authorization Facility (SAF) authorization and delegation

Default Authorization Default Authorization

SSL Configuration SAF Keyring keystore/truststore

HFS based keystore/trustore

HFS based keystore/truststore

ssl.client.props SAF Keyring keystore/truststore

HFS based keystore/trustore

HFS based keystore/truststore

RACF Commands BBOWBRAK/BBODRAK

Useridswsadmin/wsguestGroupsKeyringSigner CertificatePersonal CertificateCBINDEJBROLECosNaming rolesSync-to-thread EnableTrustedApps

Userids

Groups

Userids

Groups

Table 1: Security Comparison

Moving from No Security to WebSphere SecurityThis paper documents how to move from WebSphere security to z/OS security. However, WebSphere may have been configured with No Security by choosing third option Do not enable security in the WCT - AdministrativeSecurity Selection . To first move from No Security to WebSphere Security, the additional step of enabling administrative and application security is needed.

In the administrative console:

Security → Global Security

Check the box for Enable administrative security and Enable application security

Uncheck the box for Use Java 2 Security to restrict application access to local resources

Figure 2: Global Security

Server Customization JobsCertain RACF commands need to be executed in order to move a base application server, or a network deployment cell from WebSphere Security to a configuration that uses z/OS Security. The following sections provide details on how to create the needed RACF commands using the WCT.

Base Application Server or Managed Node RACF commandsThe first step in preparing to move a base application server or managed node from WebSphere Application security to WebSphere for z/OS security is to rerun the WCT choosing option 1 “Using a z/OS Security Product”. Once a new set of customization jobs are created, the DATA(BBOWBRAC) contains the example RACF commands. Example 1: z/OS security specific commands from DATA(BBOWBRAC) shows the additional RACF commands generated for z/OS security. Do not execute all the commands generated in DATA(BBOWBRAC), rather only the commands after the comment “Activating classes needed only for z/OS security” should be executed. The prior commands have already been executed when setting up WebSphere security.

Note: The example commands were generated by choosing “Yes” for• Enable SSL on location service daemon• SAF Profile Prefix• Enable Writable SAF Keyring Support

The “Enable SSL on location service daemon” option will generate a keyring for the Daemon userid and connect the WebSphereCA signing certificate and personal certificate to the keyring.

The “SAF Profile Prefix” option will add a profile prefix to the CBIND, EJBROLE and APPL class profile

Activating classes needed only for z/OS security. SETROPTS RACLIST(CBIND) GENERIC(CBIND)SETROPTS CLASSACT(SURROGAT) GENERIC(SURROGAT)

Adding WAS unauthenticated user IDADDUSER WSGUEST RESTRICTED DFLTGRP(WSCFG1) OMVS(UID(2402) HOME(/var/WebSphere/home/WSCFG1) PROGRAM(/bin/sh)) NAME('WAS DEFAULT USER') NOPASSWORD NOOIDCARD"

APPL class setup. Used to control client access to a WebSphere Application Server for z/OS cell or group of cells.RDEFINE APPL SY1 UACC(NONE)PERMIT SY1 CLASS(APPL) ID(WSCFG1) ACCESS(READ)PERMIT SY1 CLASS(APPL) ID(WSGUEST) ACCESS(READ)SETROPTS RACLIST(APPL) REFRESH

Define and permit CB.BIND. profile to CBIND classUsed for determining if a client can access a controller regionAny userid can gain access to the controller region if it has READ access to the CB.BIND.cluster_name profileRDEFINE CBIND CB.BIND.SY1.** UACC(READ)PERMIT CB.BIND.SY1.** CLASS(CBIND) ID(WSCFG1) ACCESS(CONTROL)

Used for determining if a client can use J2EE applications in a serverRDEFINE CBIND CB.SY1.** UACC(READ)SETROPTS RACLIST(CBIND) GENERIC(CBIND) REFRESH

Setting up EJBRoles Profiles for admin roles when using SAF authorizationSETROPTS CLASSACT(EJBROLE)SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)

Defining roles for SAF accessRDEFINE EJBROLE SY1.administrator UACC(NONE)RDEFINE EJBROLE SY1.auditor UACC(NONE)

RDEFINE EJBROLE SY1.monitor UACC(NONE)RDEFINE EJBROLE SY1.configurator UACC(NONE)RDEFINE EJBROLE SY1.operator UACC(NONE)RDEFINE EJBROLE SY1.deployer UACC(NONE)RDEFINE EJBROLE SY1.adminsecuritymanager UACC(NONE)PERMIT SY1.adminsecuritymanager CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)PERMIT SY1.auditor CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)

Setting up EJBRoles access for administrator and CRPERMIT SY1.administrator CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)

Setting up EJBRoles Profiles for Naming rolesRDEFINE EJBROLE SY1.CosNamingRead UACC(READ)PERMIT SY1.CosNamingRead CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)RDEFINE EJBROLE SY1.CosNamingWrite UACC(NONE)PERMIT SY1.CosNamingWrite CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)RDEFINE EJBROLE SY1.CosNamingCreate UACC(NONE)PERMIT SY1.CosNamingCreate CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)RDEFINE EJBROLE SY1.CosNamingDelete UACC(NONE)PERMIT SY1.CosNamingDelete CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)SETROPTS RACLIST(EJBROLE) REFRESH

Create SSL Certificate Authority certificateThis will be used to sign client and server certsRACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('WAS CertAuth for Security Domain') OU('SY1'))WITHLABEL('WebSphereCA') TRUST NOTAFTER(DATE(2018/12/31))

Facility class refresh SETROPTS RACLIST(FACILITY) REFRESH

Create WebSphere controller keyringRACDCERT ADDRING(WASKeyring.SY1) ID(ASCR1)

Generating certificate for WebSphere controller RACDCERT ID (ASCR1) GENCERT SUBJECTSDN(CN('BOSS0071.PLEX1.L2.IBM.COM') O('IBM') OU('SY1')) WITHLABEL('DefaultWASCert.SY1') SIGNWITH(CERTAUTH LABEL('WebSphereCA')) NOTAFTER(DATE(2018/12/31))

Connect controller certificate to controller keyring RACDCERT ID(ASCR1) CONNECT (LABEL('DefaultWASCert.SY1') RING(WASKeyring.SY1) DEFAULT)

Connect WebSphere CA certificate to controller keyring RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) LABEL('WebSphereCA') CERTAUTH)

Connect commercial CAs to controller keyring RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))

Generating certificate for Location Service DaemonRACDCERT ID (ASCR1) GENCERT SUBJECTSDN(CN('BOSS0071.PLEX1.L2.IBM.COM') O('IBM') OU('SY1')) WITHLABEL('DefaultDaemonCert.SY1') SIGNWITH(CERTAUTH LABEL('WebSphereCA')) NOTAFTER(DATE(2018/12/31))"

Connecting Daemon Certificate to the keyringRACDCERT ID(ASCR1) CONNECT (LABEL('DefaultDaemonCert.SY1') RING(WASKeyring.SY1) DEFAULT)

Create WebSphere servant keyringRACDCERT ADDRING(WASKeyring.SY1) ID(ASSR1)

Connect WAS CA Certificate to servant keyringRACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) LABEL('WebSphereCA') CERTAUTH)

Connect Commercial CAs to servant keyringRACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))

Creating SSL keyring for WebSphere administrator user idRACDCERT ADDRING(WASKeyring.SY1) ID(WSADMIN)

Connect WAS CA Certificate to WebSphere administrator keyringRACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) LABEL('WebSphereCA') CERTAUTH)

Connect Commercial CAs to WebSphere administrator keyringRACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1)" CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1)" CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))

Creating SSL keyring for WebSphere asynch administratorRACDCERT ADDRING(WASKeyring.SY1) ID(WSADMSH)

Connect WAS CA Certificates to WebSphere asynch administrator keyringRACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) LABEL('WebSphereCA') CERTAUTH)

Connect Commercial CAs to WebSphere asynch administrator keyringRACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 3 Primary CA')USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH

label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH)

Creating Root and Signers keyrings RACDCERT ADDRING("WASKeyring.SY1.Root) ID(ASCR1)RACDCERT ADDRING("WASKeyring.SY1.Signers) ID(ASCR1)

Connect root CA certificates to the root keyrings RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1.Root) LABEL('WebSphereCA') CERTAUTH USAGE(PERSONAL))

Connect default signers to the default signers keyringRACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1.Signers) LABEL('WebSphereCA') CERTAUTH)


Creating Sync-to-thread profile Used for: Enabling Sync-to-thread. Controller region user ID needs READ or CONTROL access to enable Sync-to-thread. With READ access, only security environments representing users in the SURROGATE class are allowed, while CONTROL allows for security environments to represent any user. RDEFINE FACILITY BBO.SYNC.SY1.BBOC001 UACC(NONE)

Creating EnableTrustedApplications profile Used for: Allowing applications to perform operations normally reserved for privileged users. RDEFINE FACILITY BBO.TRUSTEDAPPS.SY1.BBOC001 UACC(NONE)

Permit default WAS Configuration group to EnableTrustedApplications profile. PERMIT BBO.TRUSTEDAPPS.SY1.BBOC001 CLASS(FACILITY) ID(WSCFG1) ACCESS(READ)SETROPTS CLASSACT(FACILITY) GENERIC(FACILITY)SETROPTS RACLIST(FACILITY) REFRESH

Define permissions required for writable keyring supportSETR CLASSACT(RDATALIB)SETR RACLIST(RDATALIB) GENERIC(RDATALIB)RDEFINE RDATALIB ASCR1.**.LST UACC(NONE)RDEFINE RDATALIB ASSR1.**.LST UACC(NONE)PERMIT ASCR1.**.LST CLASS(RDATALIB) ID(WSCFG1) ACC(READ)PERMIT ASCR1.**.LST CLASS(RDATALIB) ID(ASCR1) ACC(CONTROL)PERMIT ASSR1.**.LST CLASS(RDATALIB) ID(ASCR1) ACC(CONTROL)PERMIT ASSR1.**.LST CLASS(RDATALIB) ID(ASSR1) ACC(CONTROL)

RDEFINE RDATALIB ASCR1.**.UPD UACC(NONE)RDEFINE RDATALIB ASSR1.**.UPD UACC(NONE)PERMIT ASCR1.**.UPD CLASS(RDATALIB) ID(ASCR1) ACC(CONTROL)PERMIT ASSR1.**.UPD CLASS(RDATALIB) ID(ASCR1) ACC(CONTROL)

RDEFINE RDATALIB WSADMIN.**.LST UACC(NONE)PERMIT WSADMIN.**.LST CLASS(RDATALIB) ID(WSCFG1) ACC(READ)PERMIT WSADMIN.**.LST CLASS(RDATALIB) ID(WSADMIN) ACC(CONTROL)

RDEFINE RDATALIB WSADMIN.**.UPD UACC(NONE)PERMIT WSADMIN.**.UPD CLASS(RDATALIB) ID(WSADMIN) ACC(CONTROL)SETR RACLIST(RDATALIB) REFRESHExample 1: z/OS security specific commands from DATA(BBOWBRAC)

Deployment Manager Server RACF commandsIn a network deployment setup, the next step is to move a Deployment Manager Server from WebSphere Application security to WebSphere for z/OS security by running the WCT choosing option 1 “Using a z/OS Security Product”. Once a new set of customization jobs are created, the DATA(BBODBRAC) contains the new RACF commands. Example 2: z/OS security specific commands from DATA(BBODBRAK) shows the additional RACF commands generated for z/OS security. Do not execute all the commands generated in DATA(BBODBRAK), rather only the commands after the comment “Activating classes needed only for z/OS security” should be executed. The prior commands have already been executed when setting up WebSphere security.

Note: The example commands were generated by choosing “Yes” for• Enable SSL on location service daemon• SAF Profile Prefix• Enable Writable SAF Keyring Support

The “Enable SSL on location service daemon” option will generate a keyring for the Daemon userid and connect the WebSphereCA signing certificate and personal certificate to the keyring.

The “SAF Profile Prefix” option will add a profile prefix to the CBIND, EJBROLE and APPL class profile

Activating classes needed only for z/OS security. SETROPTS CLASSACT(CBIND)SETROPTS RACLIST(CBIND) GENERIC(CBIND)SETROPTS CLASSACT(SURROGAT) GENERIC(SURROGAT)

Adding WAS unauthenticated user IDADDUSER WSGUEST RESTRICTED DFLTGRP(WSCFG1) OMVS(UID(2402) HOME(/var/WebSphere/home/WSCFG1)PROGRAM(/bin/sh)) NAME('WAS DEFAULT USER') NOPASSWORD NOOIDCARD

APPL class setup. Used to control client access to a WebSphere Application Server for z/OS cell or group of cells.RDEFINE APPL PLEX1 UACC(NONE)PERMIT PLEX1 CLASS(APPL) ID(WSCFG1) ACCESS(READ)PERMIT PLEX1 CLASS(APPL) ID(WSGUEST) ACCESS(READ)SETROPTS RACLIST(APPL) REFRESH

Define and permit CB.BIND. profile to CBIND classUsed for determining if a client can access a controller regionAny userid can gain access to the controller region if it has READ access to the CB.BIND.cluster_name profileRDEFINE CBIND CB.BIND.PLEX1.** UACC(READ)PERMIT CB.BIND.PLEX1.** CLASS(CBIND) ID(WSCFG1) ACCESS(CONTROL)

Define and permit CB. profile to CBIND classUsed for determining if a client can use J2EE applications in a serverRDEFINE CBIND CB.PLEX1.** UACC(READ)SETROPTS RACLIST(CBIND) GENERIC(CBIND) REFRESH

Setting up EJBRoles Profiles for admin roles when using SAF authorizationSETROPTS CLASSACT(EJBROLE)SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)

Defining roles for SAF accessRDEFINE EJBROLE PLEX1.administrator UACC(NONE)RDEFINE EJBROLE PLEX1.auditor UACC(NONE)RDEFINE EJBROLE PLEX1.monitor UACC(NONE)RDEFINE EJBROLE PLEX1.configurator UACC(NONE)RDEFINE EJBROLE PLEX1.operator UACC(NONE)

RDEFINE EJBROLE PLEX1.deployer UACC(NONE)RDEFINE EJBROLE PLEX1.adminsecuritymanager UACC(NONE)PERMIT PLEX1.adminsecuritymanager CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)PERMIT PLEX1.auditor CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)

Setting up EJBRoles access for administrator and CRPERMIT PLEX1.administrator CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)

Setting up EJBRoles Profiles for Naming rolesRDEFINE EJBROLE PLEX1.CosNamingRead UACC(READ)PERMIT PLEX1.CosNamingRead CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)RDEFINE EJBROLE PLEX1.CosNamingWrite UACC(NONE)PERMIT PLEX1.CosNamingWrite CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)RDEFINE EJBROLE PLEX1.CosNamingCreate UACC(NONE)PERMIT PLEX1.CosNamingCreate CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)RDEFINE EJBROLE PLEX1.CosNamingDelete UACC(NONE)PERMIT PLEX1.CosNamingDelete CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)SETROPTS RACLIST(EJBROLE) REFRESH

Create SSL Certificate Authority certificateThis will be used to sign client and server certsRACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('WAS CertAuth for Security Domain') OU('PLEX1'))WITHLABEL('WebSphereCA') TRUST NOTAFTER(DATE(2018/12/31))

Create WebSphere controller keyringRACDCERT ADDRING(WASKeyring.PLEX1) ID(ASCR1)

Generating certificate for WebSphere controller RACDCERT ID (DMCR1) GENCERT SUBJECTSDN(CN('boss0071.plex1.l2.ibm.com') O('IBM') OU('PLEX1')) WITHLABEL('DefaultWASCert.PLEX1 SIGNWITH(CERTAUTH LABEL('WebSphereCA'))NOTAFTER(DATE(2018/12/31)) Connect controller certificate to controller keyring RACDCERT ID(DMCR1) CONNECT (LABEL('DefaultWASCert.PLEX1') RING(WASKeyring.PLEX1) DEFAULT)

Connect WebSphere CA certificate to controller keyring RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) LABEL('WebSphereCA') CERTAUTH)

Connect commercial CAs to controller keyring RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))

Create WebSphere servant keyringRACDCERT ADDRING(WASKeyring.PLEX1) ID(DMSR1)

Connect WAS CA Certificate to servant keyringRACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) LABEL('WebSphereCA') CERTAUTH)

Connect Commercial CAs to servant keyringRACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))

RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))

Creating SSL keyrings for WebSphere administrator RACDCERT ADDRING(WASKeyring.PLEX1) ID(WSADMIN)

Connect WAS CA Certificate to WebSphere administrator keyringRACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) LABEL('WebSphereCA') CERTAUTH)

Connect Commercial CAs to WebSphere administrator keyringRACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))

RACDCERT ADDRING(WASKeyring.PLEX1.Root) ID(DMCR1)RACDCERT ADDRING(WASKeyring.PLEX1.Signers) ID(DMCR1)

Connect root CA certificates to the root keyrings RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1.Root) LABEL('WebSphereCA') CERTAUTH USAGE(PERSONAL))

Connect default signers to the default signers keyring RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1.Signers) LABEL('WebSphereCA') CERTAUTH)


Creating Sync-to-thread profile Used for: Enabling Sync-to-thread. Controller region user ID needs READ or CONTROL access to enable Sync-to-thread. With READ access, only security environments representing users in the SURROGATE class are allowed, while CONTROL allows for security environments to represent any user. RDEFINE FACILITY BBO.SYNC.PLEX1.** UACC(NONE)

Creating EnableTrustedApplications profile Used for: Allowing applications to perform operations normally reserved for privileged users. RDEFINE FACILITY BBO.TRUSTEDAPPS.PLEX1.** UACC(NONE)

Permit default WAS Configuration group to EnableTrustedApplications profile. PERMIT BBO.TRUSTEDAPPS.PLEX1.** CLASS(FACILITY) ID(WSCFG1) ACCESS(READ)SETROPTS CLASSACT(FACILITY) GENERIC(FACILITY)

SETROPTS RACLIST(FACILITY) REFRESH

Define permissions required for writable keyring supportSETR CLASSACT(RDATALIB)SETR RACLIST(RDATALIB) GENERIC(RDATALIB)RDEFINE RDATALIB DMCR1.**.LST UACC(NONE)RDEFINE RDATALIB DMSR1.**.LST UACC(NONE)PERMIT DMCR1.**.LST CLASS(RDATALIB) ID(WSCFG1) ACC(READ)PERMIT DMCR1.**.LST CLASS(RDATALIB) ID(DMCR1) ACC(CONTROL)PERMIT DMSR1.**.LST CLASS(RDATALIB) ID(DMCR1) ACC(CONTROL)PERMIT DMSR1.**.LST CLASS(RDATALIB) ID(DMSR1) ACC(CONTROL)

RDEFINE RDATALIB DMCR1.**.UPD UACC(NONE)RDEFINE RDATALIB DMSR1.**.UPD UACC(NONE)PERMIT DMCR1.**.UPD CLASS(RDATALIB) ID(DMCR1) ACC(CONTROL)PERMIT DMSR1.**.UPD CLASS(RDATALIB) ID(DMCR1) ACC(CONTROL)

RDEFINE RDATALIB WSADMIN.**.LST UACC(NONE)PERMIT WSADMIN.**.LST CLASS(RDATALIB) ID(WSCFG1) ACC(READ)PERMIT WSADMIN.**.LST CLASS(RDATALIB) ID(WSADMIN) ACC(CONTROL)RDEFINE RDATALIB WSADMIN.**.UPD UACC(NONE)PERMIT WSADMIN.**.UPD CLASS(RDATALIB) ID(WSADMIN) ACC(CONTROL)SETR RACLIST(RDATALIB) REFRESH

Example 2: z/OS security specific commands from DATA(BBODBRAK)

Enable SAF authorizationMapping of userids to roles in J2EE applications and in the WebSphere runtime can be managed by the WebSphere application server or by SAF security product.

When Default authorization is selected the WebSphere application server is responsible for managing the userid to role mapping. For example, userids are mapped to administrative roles in the administrative console under “Users and Groups” section. These settings are stored in the admin-authz.xml file in the HFS. In addition, userids are mapped to application roles during deployment of an application in the step “Map security roles to users or groups” which is stored in the application's extended descriptor files.

When System Authorization Facility (SAF) authorization is selected, the userids are permitted to roles defined in the security product. The HFS files used for Default Authorization are ignored.

Choosing WebSphere Security or No Security in the WCT - Administrative Security Selection panel will setup WebSphere with Default Authorization, and choosing “Use a z/OS security product” will setup WebSphere with SAF authorization.


Security → Global Security → External authorization providers

Change the authorization from Default Authorization to System Authorization Facility (SAF) authorization

As shown in Figure 3: External Authorization Providers

Figure 3: External Authorization Providers

Enable SAF delegationWebSphere Application Server supports the function of delegation which allows a user identity to be represented as a J2EE role. Userids can be permitted to a role for purposes of authentication and authorization. After successful authentication, delegation in combination with a RunAs role can be used to have a method run under a specific ID.

For example, a web application configured for Basic Authentication can be setup with a RunAS role called TestRole. The example RACF definition permits USERA to TestRole, but delegates TestRole to USERB using the APPLDATA.

SETROPTS CLASSACT(EJBROLE)RDEFINE EJBROLE PLEX1.TestRole UACC(NONE) APPLDATA(USERB)PERMIT PLEX1.TestRole CLASS(EJBROLE) ID(USERA) ACCESS(READ) SETROPTS RACLIST(EJBROLE) REFRESH

After USERA has authenticated to the web application, the user principal executing on the thread will be USERB.

Note: The example commands were generated by specifying PLEX1 as the optionalSAF profile prefix in the WebSphere Customization Tool, therefore EJBROLE and CBIND class definitions will contain this prefix.

•• The SAF profile prefix can be found in the administrative console SAF profile prefix textfield• Global security > External authorization providers > SAF authorization options

Choosing SAF authorization in the security WCT - Administrative Security Selection panel will also enable SAF delegation. SAF delegation requires SAF authorization to be enabled. Although it is not required to enable SAF delegation, the step is provided to be consistent with a system setup with SAF authorization.


Security → Global Security → External authorization providers → SAF Authorization options

Check the box for Enable SAF Delegation

As shown in Figure 4: SAF authorization options - Delegation

Figure 4: SAF authorization options - Delegation

Switch from Federated Repository to Local OS During the customization of WebSphere, choosing the second option to configure with WebSphere Application Server Security or the third option to configure with no security, sets the current realm definition for the user account repository to Federated Repositories. To configure WebSphere to use the z/OS security product the current realm definition should be changed to Local operating system in the administrative console.


Security → Global Security → Available realm definitions

Change the realm from Federated Repositories to Local operating System

As shown in Figure 5: User Account Repository Realm Definition

Figure 5: User Account Repository Realm Definition

SSL Configuration Changes One of the major differences between WebSphere Security and z/OS security is the repository where certificates are stored. The SSL settings are managed by a set of inbound and outbound SSL configurations that consist of a keystore and truststore. The following sections describe the SSL configuration changes needed when moving from WebSphere Security to z/OS Security.

Server SSL Configuration SummaryCertificates used for SSL communication can be stored in either an HFS file or a SAF keyring on WebSphere for z/OS. WebSphere uses either a KeyStore or TrustStore to access these certificates. A KeyStore is a repository that contains one or more personal certificates signed by a certificate authority, and each certificate's corresponding private key. A TrustStore is a special type of KeyStore which contains one or more signer certificates and each certificate's corresponding public key belonging to another trusted party. The certificates in the TrustStore are considered trusted certificates because the TrustStore owner trusts that the public key in each certificate indeed belongs to the party identified by the subject (owner) of that certificate.

Choosing WebSphere security or No Security will setup a KeyStore and TrustStore, each pointing to the absolute path of a PKCS12 file in the HFS. Error: Reference source not found illustrates the default KeyStore (NodeDefaultKeyStore) and TrustStore (NodeDefaultTrustStore) pointing to files key.p12 and trust.p12 respectively.

In order to access certificates stored in the SAF security product, the KeyStore and TrustStore will need to contain a path that points to a SAF keyring. The format of the path is safkeyring:/// where the is the name of the keyring created after running the jobs generated from customization dialogues in which SAF security was chosen.

Client SSL Configuration SummaryThin client and J2EE application clients that make outbound SSL calls to the WebSphere application server will usually use the following java properties to point to a configuration file for client security settings. In addition, several of the WebSphere shell scripts such as wsadmin.sh, launchClient.sh, addNode.sh, and other scripts use these properties.

• com.ibm.CORBA.ConfigURL = /profiles/default/properties/sas.client.props• com.ibm.SOAP.ConfigURL = /profiles/default/properties/soap.client.props• com.ibm.SSL.ConfigURL = /profiles/default/properties/ssl.client.props

The file sas.client.props controls configuration settings for outbound RMI-IIOP calls, and the file soap.client.props controls configuration settings for outbound SOAP calls. Both files contain a property that points to an SSL configuration to be used by the client.

• com.ibm.ssl.alias = DefaultSSLSettingsThe SSL configuration referred to by the alias property is defined in the ssl.client.props file.

Choosing WebSphere security or No Security will setup a KeyStore and TrustStore, each pointing to the absolute path of a PKCS12 file in the HFS.

Example 3: Section from ssl.client.props for WebSphere Security or No Security shows an example of the default keyStoreName (ClientDefaultKeyStore) and the default trustStoreName (ClientDefaultTrustStore) pointing to keyStore file key.p12 and trustStore file trust.p12 respectively. The default setup for WebSphere's HFS based keystore contains a keyStoreType and a trustStoreType of PKCS12 (Public Key Cryptography Standards version 12) and a password encoded using an {xor} algorithm. The keyStoreFileBased and trustStoreFileBased properties are set to true since the repository for which the certificates are contained in is an HFS file.

To change the ssl.client.props file from using an HFS based certificate repository to using a SAF Keyring the following properties need to be changed.

• com.ibm.ssl.keyStore• com.ibm.ssl.keyStorePassword• com.ibm.ssl.keyStoreType• com.ibm.ssl.keyStoreFileBased• com.ibm.ssl.trustStore• com.ibm.ssl.trustStorePassword• com.ibm.ssl.trustStoreType• com.ibm.ssl.trustStoreFileBased

The KeyStore and TrustStore will need to contain a path that points to a SAF keyring. The format of the path is safkeyring:/// where the is the name of the keyring created after running the jobs generated from customization dialogues in which SAF security was chosen. The keyStoreType and trustStoreType should be of the type JCERACFKS (Java Cryptography Extension Resource Access Control Facility Keystore). The keyStorePassword and trustStorePassword should be set to the value of “password” or the value of “{xor}Lz4sLCgwLTs=” which is the string “password” after being encoded using the {xor} algorithm. Finally the keyStoreFileBased and trustStoreFileBased properties should be set to false since SAF keyrings are not HFS based files.

Example 3: Section from ssl.client.props for WebSphere Security or No Security shows the default KeyStore (ClientDefaultKeyStore) and the default TrustStore (ClientDefaultTrustStore) pointing to files key.p12 and trust.p12.

Example 4: Section from ssl.client.props setup with z/OS Security shows the default settings for these properties when WebSphere is setup with z/OS security.

#-------------------------------------------------------------------------# This SSL configuration is used for all client SSL connections, by default#-------------------------------------------------------------------------com.ibm.ssl.alias=DefaultSSLSettingscom.ibm.ssl.protocol=SSL_TLScom.ibm.ssl.securityLevel=HIGHcom.ibm.ssl.trustManager=IbmPKIXcom.ibm.ssl.keyManager=IbmX509com.ibm.ssl.contextProvider=IBMJSSE2com.ibm.ssl.enableSignerExchangePrompt=gui#com.ibm.ssl.keyStoreClientAlias=default#com.ibm.ssl.customTrustManagers=#com.ibm.ssl.customKeyManager=#com.ibm.ssl.dynamicSelectionInfo=#com.ibm.ssl.enabledCipherSuites=

# KeyStore informationcom.ibm.ssl.keyStoreName=ClientDefaultKeyStorecom.ibm.ssl.keyStore=${user.root}/etc/key.p12com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=com.ibm.ssl.keyStoreType=PKCS12com.ibm.ssl.keyStoreProvider=IBMJCEcom.ibm.ssl.keyStoreFileBased=true

# TrustStore informationcom.ibm.ssl.trustStoreName=ClientDefaultTrustStorecom.ibm.ssl.trustStore=${user.root}/etc/trust.p12com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=com.ibm.ssl.trustStoreType=PKCS12com.ibm.ssl.trustStoreProvider=IBMJCEcom.ibm.ssl.trustStoreFileBased=truecom.ibm.ssl.trustStoreReadOnly=falseExample 3: Section from ssl.client.props for WebSphere Security or No Security

Base Configuration SSL SetupIn this section, the steps are given for creating a new keystore and trustore that point to a SAF keying, and for validating that the keyring can be accessed by viewing the signer and personal certificate from the administrative console. In addition, the existing SSL configuration and HFS SSL client properties file are updated to use the new keystore and truststore.

Before proceeding with this section disable dynamic runtime updates of SSL configuration changes so that the changes are not reflected until the server is restarted. This will prevent a user from getting logged off the administrative console or other complications as SSL changes are being made.


Security → Global Security → SSL certificate and key management

Uncheck Dynamically update the run time when SSL configuration changes occur

Click Apply and then save the changes.

Restart Application server to pick up the change.

Figure 6: Disabling dynamic runtime updates of SSL configuration changes

Creating a Node Level KeyStore and TrustStore to point to a SAF keyring The existing NodeDefaultKeyStore and NodeDefaultTrustStore will point to key.p12 and trust.p12 files as shown in Error: Reference source not found.

Figure 7: HFS Based KeyStore and TrustStore

Creating a new KeyStore using the administrative console


Security → Global Security → SSL certificate and key management → Key stores and certificates

Change the Keystore Usages dropdown to SSL Keystores

Click the New button

➔ Name: NodeDefaultSAFKeyStore

➔ Managerment Scope:

➔ Path: safkeyring:///WASKeyring.SY1

➔ Control region user:

➔ Servant region user:

➔ Password: password

➔ Confirm Password: password

➔ Type: JCERACFKS

➔ Read Only checked


Figure 8: New SAF KeyStore

Creating a new TrustStore using the administrative console





➔ Name: NodeDefaultSAFTrustStore







➔ Type: JCERACFKS



Figure 9: New SAF TrustStore

Viewing the new SAF KeyStore and TrustStore

The NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore should now be listed showing a path pointing to a SAF keyring as illustrated in Figure 10: NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore.

Figure 10: NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore

Viewing the Signer and Personal Certificate Restart the WebSphere application server and confirm that the SAF keyring pointed to by the NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore can be accessed and viewed by WebSphere.


Security → Global Security → SSL certificate and key management → Key stores and certificates → NodeDefaultSAFTrustStore → Signer Certificates

The signer certificate generated by the customization jobs should be listed as shown in Figure 11:NodeDefaultSAFTrustStore Signer Certificate.


Security → Global Security → SSL certificate and key management → Key stores and certificates → NodeDefaultSAFKeyStore → Personal Certificates

The personal certificate signed by the signer certificate should be listed as shown in

Figure 11: NodeDefaultSAFTrustStore Signer Certificate

If no signer certificates are displayed in the NodeDefaultSAFTrustStore or no personal certificates are displayed in the NodeDefaultSAFKeyStore then there may be a problem with the configuration. Review section TroubleShooting Keystore and Truststore setup for possible ways to diagnose the problem.

Figure 12: NodeDefaultSAFKeyStore Personal Certificate

Update Node Level SSL Configuration to use new KeyStore & TrustStoreThe SSL configuration NodeDefaultSSLSettings should be updated to use the newly created SAF KeyStore and SAF TrustStore. Additionally, the alias of the personal certificate to be used as the default should be selected.


Security → Global Security → SSL certificate and key management → SSL Configurations → NodeDefaultSSLSettings

➔ From the Truststore name dropdown select: NodeDefaultSAFTrustStore

➔ From the Keystore name dropdown select: NodeDefaultSAFKeyStore

Click Get certificate aliases button to populate the Default server certificate alias and Default client certificate alias dropdown.


As shown in Figure 13: NodeDefaultSSLSettings TrustStore and KeyStore

Figure 13: NodeDefaultSSLSettings TrustStore and KeyStore

Update Application Server ssl.client.props

Example 4: Section from ssl.client.props setup with z/OS Security shows the default KeyStore (ClientDefaultKeyStore) and the default TrustStore (ClientDefaultTrustStore) pointing to a SAF Keyring called WASKeyring.SY1.


# KeyStore informationcom.ibm.ssl.keyStoreName=ClientDefaultKeyStorecom.ibm.ssl.keyStore=safkeyring:///WASKeyring.SY1com.ibm.ssl.keyStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.keyStoreType=JCERACFKScom.ibm.ssl.keyStoreProvider=IBMJCEcom.ibm.ssl.keyStoreFileBased=false

# TrustStore informationcom.ibm.ssl.trustStoreName=ClientDefaultTrustStorecom.ibm.ssl.trustStore=safkeyring:///WASKeyring.SY1com.ibm.ssl.trustStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.trustStoreType=JCERACFKScom.ibm.ssl.trustStoreProvider=IBMJCEcom.ibm.ssl.trustStoreFileBased=falsecom.ibm.ssl.trustStoreReadOnly=trueExample 4: Section from ssl.client.props setup with z/OS Security

Note: The properties com.ibm.ssl.keyStorePassword and com.ibm.ssl.trustStorePassword show the value of “{xor}Lz4sLCgwLTs=” which is the string “password” after being encoded using the {xor} algorithm. It can be substituted for the literal string “password” as seen below:

com.ibm.ssl.keyStorePassword=passwordcom.ibm.ssl.trustStorePassword=password

Ensure that there are no trailing spaces after any of the properties as this can lead to errors.

Network Deployment SSL SetupIn this section, the steps are given for creating a new keystore and trustore that point to a SAF keying, and for validating that the keyring can be accessed by viewing the signer and personal certificate from the administrative console. In addition, the existing SSL configuration and HFS SSL client properties file are updated to use the new keystore and truststore.

Before proceeding with this section disable dynamic runtime updates of SSL configuration changes.


Security → Global Security → SSL certificate and key management

Uncheck Dynamically update the run time when SSL configuration changes occur


Restart Application server to pick up the change.

Figure 14: Disabling dynamic runtime updates of SSL configuration changes

Creating a Cell Level KeyStore and TrustStore to point to a SAF keyringThe existing CellDefaultKeyStore and CellDefaultTrustStore will point to key.p12 and trust.p12 files as shown in Figure 15: HFS Based KeyStore and TrustStore


Creating a new KeyStore using the administrative consoleIn the administrative console:

Security → Global Security → Manage endpoint security configurations → Key stores and certificates


➔ Name: CellDefaultSAFKeyStore


➔ Path: safkeyring:///WASKeyring.PLEX1



➔ Read only checked





Security → Global Security → Manage endpoint security configurations → Key stores and certificates


➔ Name: CellDefaultSAFTrustStore


➔ Path: safkeyring:///WASKeyring.PLEX1



➔ Read only checked



Viewing the new KeyStore and TrustStore

The CellDefaultSAFKeyStore and CellDefaultSAFTrustStore should now be listed showing a path pointing to a SAF keyring as illustrated in Figure 18: CellDefaultSAFKeyStore and CellDefaultSAFTrustStore

Figure 18: CellDefaultSAFKeyStore and CellDefaultSAFTrustStore

Viewing the Signer and Personal Certificate

Restart the WebSphere application server and confirm that the SAF keyring pointed to by the CellDefaultSAFKeyStore and CellDefaultSAFTrustStore can be accessed and viewed by WebSphere.


Security → Global Security → Manage endpoint security configurations → Key stores and certificates → CellDefaultSAFTrustStore → Signer certificates

The signer certificate generated by the customization jobs should be listed as shown in Figure 19:CellDefaultSAFTrustStore Signer Certificate

Figure 19: CellDefaultSAFTrustStore Signer Certificate


Security → SSL certificate and key management → Manage endpoint security configurations → Key stores and certificates → CellDefaultSAFKeyStore → Personal certificates

The personal certificate signed by the signer certificate should be listed as shown in Figure 20:CellDefaultSAFKeyStore Personal Certificate

Figure 20: CellDefaultSAFKeyStore Personal Certificate

Creating a New Node Level KeyStore and TrustStore to point to a SAF keyringThe NodeDefaultSSLSettings configuration will show the existing and newly created cell level keystores and truststores, and the existing NodeDefaultKeyStore and NodeDefaultTrustStore which still point to key.p12 and trust.p12 files as shown in Figure 21: HFS Based KeyStore and TrustStore

At this Node scope the CellDefaultSAFKeyStore and CellDefaultSAFTrustStore can also be seen as displayed previously at the cell scope in section Viewing the new KeyStore and TrustStore.


Creating a new KeyStore using the administrative console




➔ Name: NodeDefaultSAFKeyStore







➔ Type: JCERACFKS








➔ Name: NodeDefaultSAFTrustStore







➔ Type: JCERACFKS



Viewing the new KeyStore and TrustStore

The NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore should now be listed showing a path pointing to a SAF keyring as illustrated in Figure 24: NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore

Figure 24: NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore

Viewing the Signer and Personal Certificate

Restart the WebSphere application server and confirm that the SAF keyring pointed to by the NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore can accessed and viewed by WebSphere


Security → Global Security → SSL certificate and key management → Key stores and certificates → NodeDefaultSAFTrustStore → Signer certificates

The signer certificate generated by the customization jobs should be listed as shown in Figure 25:NodeDefaultSAFTrustStore Signer Certificate

Figure 25: NodeDefaultSAFTrustStore Signer Certificate


Security → Global Security → SSL certificate and key management → Key stores and certificates → NodeDefaultSAFKeyStore → Personal certificates

The personal certificate signed by the signer certificate should be listed as shown in Figure 26: NodeDefaultSAFKeyStore Personal Certificate

Figure 26: NodeDefaultSAFKeyStore Personal Certificate

Update Cell Level SSL Configuration to use new KeyStore & TrustStoreThe SSL configuration CellDefaultSSLSettings should be updated to use the newly created SAF KeyStore and SAF TrustStore. Additionally the alias of the personal certificate to be used as the default should be selected.


Security → Global Security → SSL certificate and key management → SSL configurations → CellDefaultSSLSettings

➔ From the Truststore name dropdown select: CellDefaultSAFTrustStore

➔ From the Keystore name dropdown select: CellDefaultSAFKeyStore



As shown in Figure 27: CellDefaultSSLSettings TrustStore and KeyStore:

Figure 27: CellDefaultSSLSettings TrustStore and KeyStore

Update Node Level SSL Configuration to use new KeyStore & TrustStoreThe SSL configuration NodeDefaultSSLSettings should be updated to use the newly created SAF KeyStore and SAF TrustStore. Additionally the alias of the personal certificate to be used as the default should be selected.


Security → Global Security → SSL certificate and key management → SSL configurations → NodeDefaultSSLSettings

➔ From the Truststore name dropdown select: NodeDefaultSAFTrustStore

➔ From the Keystore name dropdown select: NodeDefaultSAFKeyStore



As shown in Figure 28: NodeDefaultSSLSettings TrustStore and Keystore

Figure 28: NodeDefaultSSLSettings TrustStore and Keystore

Update Deloyment Manager ssl.client.props


The ssl.client.props is located in the HFS at:/DeploymentManager/profiles/default/properties/ssl.client.props


# KeyStore informationcom.ibm.ssl.keyStoreName=ClientDefaultKeyStorecom.ibm.ssl.keyStore=safkeyring:///WASKeyring.PLEX1com.ibm.ssl.keyStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.keyStoreType=JCERACFKScom.ibm.ssl.keyStoreProvider=IBMJCEcom.ibm.ssl.keyStoreFileBased=false

# TrustStore informationcom.ibm.ssl.trustStoreName=ClientDefaultTrustStorecom.ibm.ssl.trustStore=safkeyring:///WASKeyring.PLEX1com.ibm.ssl.trustStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.trustStoreType=JCERACFKScom.ibm.ssl.trustStoreProvider=IBMJCEcom.ibm.ssl.trustStoreFileBased=falsecom.ibm.ssl.trustStoreReadOnly=trueExample 5: Section from ssl.client.props setup with z/OS Security




Update Application Server ssl.client.props


The ssl.client.props is located in the HFS at:/AppServer/profiles/default/properties/ssl.client.props


# KeyStore informationcom.ibm.ssl.keyStoreName=ClientDefaultKeyStorecom.ibm.ssl.keyStore=safkeyring:///WASKeyring.SY1com.ibm.ssl.keyStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.keyStoreType=JCERACFKScom.ibm.ssl.keyStoreProvider=IBMJCEcom.ibm.ssl.keyStoreFileBased=false

# TrustStore informationcom.ibm.ssl.trustStoreName=ClientDefaultTrustStorecom.ibm.ssl.trustStore=safkeyring:///WASKeyring.SY1com.ibm.ssl.trustStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.trustStoreType=JCERACFKScom.ibm.ssl.trustStoreProvider=IBMJCEcom.ibm.ssl.trustStoreFileBased=falsecom.ibm.ssl.trustStoreReadOnly=trueExample 6: Section from ssl.client.props setup with z/OS Security




TroubleShooting Keystore and Truststore setupWhen attempting to switch from WebSphere Security to z/OS Security problems may occur in which a user can not use the certificates in RACF. Some common external symptoms that may be encountered include:

• Certificates can not be viewed from the administrative console.• SSL handshake errors when logging onto the administrative console or during node synchronization.• SSL handshake errors when attempting to connect with WebSphere shell scripts such as wsadmin.sh to

the Deployment Manager or Application Server.

The following sections provide a list of items to review to help identify incorrect setup of SAF keyring or certificates.

Server diagnostics after switching to z/OS SecurityList of items to review in RACF for Keyrings and Certificates:

1. Confirm that the WebSphere administrative group is permitted to IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING profiles in the FACILITY class with READ access.

2. Confirm that the SAF Keyring being used is connected to control region's userid, and contains a signer certificate and a personal certificate. RACDCERT LISTRING(keyring_name) ID(control_region_userid)

3. Confirm that the SAF Keyring being used is connected to servant region's userid, and contains a signer certificate. RACDCERT LISTRING(keyring_name) ID(servant_region_userid)

4. Display the details of the signer certificate, and confirm that it has TRUST status and is not expired.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))

5. Display the details of the personal certificate, and confirm that it has TRUST status and is not expired.RACDCERT LIST (label(‘PersonalCert')) ID(userid)

6. Follow the certificate chain to confirm a personal certificate is signed by the signer certificate. This can be done by confirming that the Issuer's Name of the personal certificate matches the Subject's Name of the certificate that signed it. A certificate chain may be multiple levels, and this step will need to be repeated up to the root certificate. The Issuer's Name will match the Subject's Name for a root certificate.

Note: Section Required Facility Setup for SAF Keyrings provides example commands and output for item 1.

Sections Base Application Server / Managed Node Keyring and Certificates and Deployment Manager Keyring and Certificates provide example commands and output for items 2 through 5.

Client diagnostics after switching to z/OS SecurityList of items to review in RACF for Keyrings and Certificates

1. Confirm that the client userid is permitted to IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING profiles in the FACILITY class with READ access.

2. Confirm keystore and truststore in ssl.client.props is pointing to a SAF keyring.3. Confirm that the SAF Keyring being used is connected to client userid, and contains a signer certificate.

of the Deployment Manager (Network Deployment) or Application Server (Base) control region. RACDCERT LISTRING(keyring_name) ID(client_userid)

4. Display the details of the signer certificate, and confirm that it has TRUST status and is not expired.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))

5. Follow the certificate chain to confirm that the personal certificate on the keyring of the Deployment Manager userid (Network Deployment) or Application Server userid (Base) was signed by the signer certificate on the keyring of the client userid. This can be done by confirming that the Issuer's Name of the personal certificate matches the Subject's Name of the certificate that signed it. A certificate chain may be multiple levels, and this step will need to be repeated up to the root certificate. The Issuer's Name will match the Subject's Name for a root certificate.

Note: Section Required Facility Setup for SAF Keyrings provides example commands and output for item 1.

Section Base Application Server / Managed Node Keyring and Certificates and Error: Reference source not found provides example output for item 2.

When submitting a job that executes a shell script that makes an outbound SSL call (ie. wsadmin.sh, addNode.sh) ensure that the job is submitted with the correct client id (ie. wsadmin or equivalent).

When executing shell scripts from an OMVS shell or telnet session that makes an outbound SSL call (ie. wsadmin.sh, addNode.sh) be sure to be logged in with the correct client userid (ie. wsadmin or equivalent).

Example z/OS Security Setup with RACF OutputsThis section provides RACF commands to obtain information about FACILITY profiles, Keyrings and certificates used in an example z/OS security setup.

Userids and KeyringsThe groupid and userids used in this security setup:

GroupID UserID Keyring DescriptionWSCFG1 DMCR1 WASKeyring.PLEX1 Deployment Manager Control Region Userid

DMSR1 WASKeyring.PLEX1 Deployment Manager Servant Region Userid

ASCR1 WASKeyring.SY1 Node Agent Control Region UseridApplication Server Control Region Userid

ASSR1 WASKeyring.SY1 Application Server Servant Region Userid

WSDMNCR1 WASKeyring.PLEX1WASKeyring.SY1

Daemon Userid on DeploymentManager LPARDaemon Userid on Application Server LPAR

ASCRA1 WASKeyring.SY1 Adjunct Control Region Userid

WSADMIN WASKeyring.PLEX1WASKeyring.SY1

WebSphere Administrative Userid

WSADMSH WASKeyring.SY1 Default Asynch Admin Task Userid

Table 2: Userid and Keyring Used in Sample Commands

Required Facility Setup for SAF KeyringsWebSphere administrative group WSCFG1 is permitted with READ access to IRR.DIGTCERT.LIST profile in FACILITY class.RLIST FACILITY IRR.DIGTCERT.LIST ALLCLASS NAME ----- ---- FACILITY IRR.DIGTCERT.LISTLEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING ----- -------- ---------------- ----------- ------- 00 IBMUSER CONTROL ALTER NO INSTALLATION DATA NONE APPLICATION DATA NONE SECLEVEL NO SECLEVEL CATEGORIES NO CATEGORIES SECLABEL NO SECLABEL AUDITING FAILURES(READ) NOTIFY NO USER TO BE NOTIFIED

CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE (DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR) ------------- ------------------- ---------------- 075 03 075 03 075 03 ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT ----------- ------------- ------------ ---------- 000000 000000 000000 000000 USER ACCESS ACCESS COUNT ---- ------ ------ ----- IBMUSER ALTER 000000 WSCFG1 READ 000000 ID ACCESS ACCESS COUNT CLASS ENTITY NAME -------- ------- ------------ -------- ---------------------------------------NO ENTRIES IN CONDITIONAL ACCESS LIST WebSphere administrative group WSCFG1 is permitted with READ access to IRR.DIGTCERT.LISTRING profile in FACILITY class.RLIST FACILITY IRR.DIGTCERT.LISTRING ALL CLASS NAME ----- ---- FACILITY IRR.DIGTCERT.LISTRING LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING ----- -------- ---------------- ----------- ------- 00 IBMUSER CONTROL ALTER NO INSTALLATION DATA NONE APPLICATION DATA NONE SECLEVEL NO SECLEVEL CATEGORIES NO CATEGORIES SECLABEL NO SECLABEL AUDITING FAILURES(READ) NOTIFY NO USER TO BE NOTIFIED CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE (DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR) ------------- ------------------- ---------------- 075 03 075 03 075 03 ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT ----------- ------------- ------------ ---------- 000000 000000 000000 000000 USER ACCESS ACCESS COUNT ---- ------ ------ ----- IBMUSER ALTER 000000 WSCFG1 READ 000000 ID ACCESS ACCESS COUNT CLASS ENTITY NAME -------- ------- ------------ -------- ---------------------------------------NO ENTRIES IN CONDITIONAL ACCESS LIST

Signing certificate WebSphereCA used in all keyringsDisplaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))Digital certificate information for CERTAUTH: Label: WebSphereCA Certificate ID: 2QiJmZmDhZmjgeaFguKXiIWZhcPB Status: TRUST Start Date: 2010/09/01 00:00:00 End Date: 2018/12/31 23:59:59 Serial Number: >00< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Key Usage: CERTSIGN Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: WSDMNCR1 Ring: >WASKeyring.SY1< Ring Owner: ASCR1 Ring: >WASKeyring.SY1< Ring Owner: ASSR1 Ring: >WASKeyring.SY1< Ring Owner: ASCRA1 Ring: >WASKeyring.SY1< Ring Owner: WSADMIN Ring: >WASKeyring.SY1< Ring Owner: CBSYMCR1 Ring:>WASKeyring.SY1.Root< Ring Owner: CBSYMCR1 Ring:>WASKeyring.SY1.Signers< Ring Owner: WSADMSH Ring: >WASKeyring.PLEX1<Ring Owner: WSDMNCR1 Ring: >WASKeyring.PLEX1< Ring Owner: DMCR1 Ring: >WASKeyring.PLEX1< Ring Owner: DMSR1 Ring: >WASKeyring.PLEX1< Ring Owner: WSADMIN Ring: >WASKeyring.PLEX1< Ring Owner: DMCR1 Ring: >WASKeyring.PLEX1.Root< Ring Owner: DMCR1 Ring: >WASKeyring.PLEX1.Signers<

Deployment Manager Keyring and Certificates

Listing the certificates for the SAF Keyring connected to the Deployment Manager control region's userid.

RACDCERT LISTRING(WASKeyring.PLEX1) ID(DMCR1)Digital ring information for user DMCR1: Ring: >WASKeyring.PLEX1< Certificate Label Name Cert Owner USAGE DEFAULT -------------------------------- ------------ -------- ------- DefaultWASDmgrCert.PLEX1 ID(DMCR1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO DefaultDaemonCert.PLEX1 ID(DMCR1) PERSONAL YES

Listing the certificates for the SAF Keyring connected to the Deployment Manager servant region's userid.

RACDCERT LISTRING(WASKeyring.PLEX1) ID(DMSR1)Digital ring information for user DMSR1: Ring: >WASKeyring.PLEX1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO

Displaying Personal certificate details for the Deployment Managers control region's userid.RACDCERT LIST (LABEL('DefaultWASDmgrCert.PLEX1')) ID(DMCR1)Digital certificate information for user DMCR1: Label: DefaultWASDmgrCert.PLEX1 Certificate ID: 2QXE1MPZ8cSFhoGkk6PmweLElIeZw4WZo0vX08Xn8UBAStatus: TRUST Start Date: 2010/09/01 00:00:00 End Date: 2018/12/31 23:59:59 Serial Number: >06< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=PLEX1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: DMCR1 Ring:>WASKeyring.PLEX1<

Displaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))See section Signing certificate WebSphereCA used in all keyrings

Base Application Server / Managed Node Keyring and Certificates

Listing the certificates for the SAF Keyring connected to the Application Server control region's userid.

RACDCERT LISTRING(WASKeyring.SY1) ID(ASCR1)Digital ring information for user ASCR1: Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT -------------------------------- ------------ -------- ------- DefaultWASCert.SY1 ID(ASCR1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO

Listing the certificates for the SAF Keyring connected to the Application Server servant region's userid.

RACDCERT LISTRING(WASKeyring.SY1) ID(ASSR1)Digital ring information for user ASSR1: Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO

Displaying Personal certificate details for the Application Server control region's userid.RACDCERT LIST (LABEL('DefaultWASCert.SY1')) ID(ASCR1)Digital certificate information for user ASCR1: Label: DefaultWASCert.SY1 Certificate ID: 2QjDwuLo1MPZ8cSFhoGkk6PmweLDhZmjS+Lo8UBA Status: TRUST Start Date: 2007/11/16 00:00:00 End Date: 2010/12/31 23:59:59 Serial Number: >02< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=SY1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: ASCR1 Ring:>WASKeyring.SY1<


Daemon Keyring and Certificates

Listing the certificates for the SAF Keyring connected to the Daemon userid on PLEX1.

RACDCERT LISTRING(WASKeyring.PLEX1) ID(WSDMNCR1)Digital ring information for user WSDMNCR1:Ring: >WASKeyring.PLEX1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------DefaultWASDmDaemonCert.PLEX1 ID(WSDMNCR1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO

Displaying Personal certificate details for the Daemon userid on PLEX1.

RACDCERT LIST (LABEL('DefaultWASDmDaemonCert.PLEX1')) ID(WSDMNCR1)Digital certificate information for user WSDMNCR1: Label: DefaultWASDmDaemonCert.PLEX1 Certificate ID: 2QjDwsTU1cPZ8cSFhoGkk6PmweLElMSBhZSWlcOFmaNL19PF5/FAStatus: TRUST Start Date: 2007/11/16 00:00:00 End Date: 2010/12/31 23:59:59 Serial Number: >05< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=PLEX1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: WSDMNCR1 Ring: >WASKeyring.PLEX1<


Listing the certificates for the SAF Keyring connected to the Daemon userid on SY1.

RACDCERT LISTRING(WASKeyring.SY1) ID(WSDMNCR1)Digital ring information for user WSDMNCR1: Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------DefaultDaemonCert.SY1 ID(WSDMNCR1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO

Displaying Personal certificate details for the Daemon userid on SY1.RACDCERT LIST (LABEL('DefaultDaemonCert.SY1')) ID(WSDMNCR1)Digital certificate information for user WSDMNCR1: Label: DefaultDaemonCert.SY1 Certificate ID: 2QjDwsTU1cPZ8cSFhoGkk6PEgYWUlpXDhZmjS+Lo8UBAStatus: TRUST Start Date: 2007/11/16 00:00:00 End Date: 2010/12/31 23:59:59 Serial Number: >01< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=SY1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: WSDMNCR1 Ring:>WASKeyring.SY1<


Adjunct Keyring and Certificates

Listing the certificates for the SAF Keyring connected to the Adjunct control region's userid.

RACDCERT LISTRING(WASKeyring.SY1) ID(ASCRA1)Digital ring information for user ASCRA1: Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------DefaultAdjunctCert.SY1 ID(ASCRA1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO

Displaying Personal certificate details for the Adjunct control region's useridRACDCERT LIST (label('DefaultAdjunctCert.SY1')) ID(ASCRA1)Digital certificate information for user ASCRA1: Label: DefaultAdjunctCert.SY1 Certificate ID: 2QbB4sPZwfHEhYaBpJOjwYSRpJWDo8OFmaNL4ujxStatus: TRUST Start Date: 2007/11/16 00:00:00 End Date: 2010/12/31 23:59:59 Serial Number: >03<Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=SY1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: ASCRA1 Ring: >WASKeyring.SY1<


WebSphere Administrative Userid Keyring and Certificates

Listing the certificates for the SAF Keyring connected to the WebSphere administrative userid on PLEX1.

RACDCERT LISTRING(WASKeyring.PLEX1) ID(WSADMIN)Ring: >WASKeyring.PLEX1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NOVerisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO

Listing the certificates for the SAF Keyring connected to the WebSphere administrative userid on SY1.

RACDCERT LISTRING(WASKeyring.SY1) ID(WSADMIN)Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NOVerisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO

Listing the certificates for the SAF Keyring connected to the Default Async admin task userid on SY1

RACDCERT LISTRING(WASKeyring.SY1) ID(WSADMSH)Digital ring information for user WSADMSH:Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NOVerisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO


ConclusionWebSphere is now configured with z/OS Security.

We welcome any feedback that may help improve this document. E-mail Keith Jabcuga ([email protected]) and Kawsar Kamal ([email protected]) with any suggestions.

mailto:[email protected]:[email protected]

IntroductionBefore you beginSecurity OptionsComparison of Security Options

Moving from No Security to WebSphere SecurityServer Customization JobsBase Application Server or Managed Node RACF commandsDeployment Manager Server RACF commands

Enable SAF authorizationEnable SAF delegationSwitch from Federated Repository to Local OS SSL Configuration Changes Server SSL Configuration SummaryClient SSL Configuration Summary

Base Configuration SSL SetupCreating a Node Level KeyStore and TrustStore to point to a SAF keyring Creating a new KeyStore using the administrative consoleCreating a new TrustStore using the administrative consoleViewing the new SAF KeyStore and TrustStore Viewing the Signer and Personal Certificate

Update Node Level SSL Configuration to use new KeyStore & TrustStoreUpdate Application Server ssl.client.props

Network Deployment SSL SetupCreating a Cell Level KeyStore and TrustStore to point to a SAF keyringCreating a new KeyStore using the administrative consoleCreating a new TrustStore using the administrative consoleViewing the new KeyStore and TrustStoreViewing the Signer and Personal Certificate

Creating a New Node Level KeyStore and TrustStore to point to a SAF keyringCreating a new KeyStore using the administrative consoleCreating a new TrustStore using the administrative consoleViewing the new KeyStore and TrustStoreViewing the Signer and Personal Certificate

Update Cell Level SSL Configuration to use new KeyStore & TrustStoreUpdate Node Level SSL Configuration to use new KeyStore & TrustStoreUpdate Deloyment Manager ssl.client.props Update Application Server ssl.client.props

TroubleShooting Keystore and Truststore setupServer diagnostics after switching to z/OS SecurityClient diagnostics after switching to z/OS Security

Example z/OS Security Setup with RACF OutputsUserids and KeyringsRequired Facility Setup for SAF KeyringsSigning certificate WebSphereCA used in all keyringsDeployment Manager Keyring and CertificatesBase Application Server / Managed Node Keyring and CertificatesDaemon Keyring and CertificatesAdjunct Keyring and CertificatesWebSphere Administrative Userid Keyring

Moving from WebSphere Application Server security to a z/OS … · 2020. 10. 19. · Moving from No...

Documents

Transcript of Moving from WebSphere Application Server security to a z/OS … · 2020. 10. 19. · Moving from No...