Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Moving from WebSphere Application Server security to a z/OS security product
A WebSphere for z/OS V7.0step by step example
Keith Jabcuga Kawsar [email protected] [email protected]
WebSphere Software Support for z/OSPoughkeepsie, NY October 29, 2010
Doc ID: 7013154
IntroductionWebSphere Application Server for z/OS can be setup with either WebSphere Security or z/OS Security. After installing and configuring the application server with WebSphere security, an administrator may wish to make the switch over to using z/OS Security for an existing server.
This paper details the differences between WebSphere and z/OS Security, and provides the steps necessary to move from WebSphere Security to z/OS Security without having to reinstall or re-customize a new application server.
Before you beginPrior to attempting any of the configuration changes in this document, ensure that the WebSphere configuration file system (HFS/ZFS) has been backed up. In case any problems are encountered, the original configuration HFS/ZFS can be restored.
The steps in this document are presented as sections, and should be followed sequentially by section number. Depending on the current WebSphere configuration, some sections will not apply as indicated in list below:
Security OptionsDuring WebSphere V7.0 for z/OS installation, administrative security can be enabled during initial cell customization. This is also referred to as "security out of the box". The WebSphere Customization Tool (WCT) presents the following three options as shown in Figure 1: WCT - Administrative Security Selection
1. Use a z/OS security productThe z/OS security product manages users, groups, and the authorization policy.
2. Use WebSphere Application ServerWebSphere Application Server manages users, groups, and the authorization policy.
3. Do not enable security
Figure 1: WCT - Administrative Security Selection
Comparison of Security Options
Table 1: Security Comparison illustrates the differences in security setup based on the option chosen in the administrative security selection during WebSphere for z/OS installation.
z/OS Security WebSphere Application Server Security
No Security
Administrative Security True True False
Realm Local OS Federated Repositories Federated Repositories
Authorization System Authorization Facility (SAF) authorization and delegation
Default Authorization Default Authorization
SSL Configuration SAF Keyring keystore/truststore
HFS based keystore/trustore
HFS based keystore/truststore
ssl.client.props SAF Keyring keystore/truststore
HFS based keystore/trustore
HFS based keystore/truststore
RACF Commands BBOWBRAK/BBODRAK
Useridswsadmin/wsguestGroupsKeyringSigner CertificatePersonal CertificateCBINDEJBROLECosNaming rolesSync-to-thread EnableTrustedApps
Userids
Groups
Userids
Groups
Table 1: Security Comparison
Moving from No Security to WebSphere SecurityThis paper documents how to move from WebSphere security to z/OS security. However, WebSphere may have been configured with No Security by choosing third option Do not enable security in the WCT - AdministrativeSecurity Selection . To first move from No Security to WebSphere Security, the additional step of enabling administrative and application security is needed.
In the administrative console:
Security → Global Security
Check the box for Enable administrative security and Enable application security
Uncheck the box for Use Java 2 Security to restrict application access to local resources
Figure 2: Global Security
Server Customization JobsCertain RACF commands need to be executed in order to move a base application server, or a network deployment cell from WebSphere Security to a configuration that uses z/OS Security. The following sections provide details on how to create the needed RACF commands using the WCT.
Base Application Server or Managed Node RACF commandsThe first step in preparing to move a base application server or managed node from WebSphere Application security to WebSphere for z/OS security is to rerun the WCT choosing option 1 “Using a z/OS Security Product”. Once a new set of customization jobs are created, the DATA(BBOWBRAC) contains the example RACF commands. Example 1: z/OS security specific commands from DATA(BBOWBRAC) shows the additional RACF commands generated for z/OS security. Do not execute all the commands generated in DATA(BBOWBRAC), rather only the commands after the comment “Activating classes needed only for z/OS security” should be executed. The prior commands have already been executed when setting up WebSphere security.
Note: The example commands were generated by choosing “Yes” for• Enable SSL on location service daemon• SAF Profile Prefix• Enable Writable SAF Keyring Support
The “Enable SSL on location service daemon” option will generate a keyring for the Daemon userid and connect the WebSphereCA signing certificate and personal certificate to the keyring.
The “SAF Profile Prefix” option will add a profile prefix to the CBIND, EJBROLE and APPL class profile
Activating classes needed only for z/OS security. SETROPTS RACLIST(CBIND) GENERIC(CBIND)SETROPTS CLASSACT(SURROGAT) GENERIC(SURROGAT)
Adding WAS unauthenticated user IDADDUSER WSGUEST RESTRICTED DFLTGRP(WSCFG1) OMVS(UID(2402) HOME(/var/WebSphere/home/WSCFG1) PROGRAM(/bin/sh)) NAME('WAS DEFAULT USER') NOPASSWORD NOOIDCARD"
APPL class setup. Used to control client access to a WebSphere Application Server for z/OS cell or group of cells.RDEFINE APPL SY1 UACC(NONE)PERMIT SY1 CLASS(APPL) ID(WSCFG1) ACCESS(READ)PERMIT SY1 CLASS(APPL) ID(WSGUEST) ACCESS(READ)SETROPTS RACLIST(APPL) REFRESH
Define and permit CB.BIND. profile to CBIND classUsed for determining if a client can access a controller regionAny userid can gain access to the controller region if it has READ access to the CB.BIND.cluster_name profileRDEFINE CBIND CB.BIND.SY1.** UACC(READ)PERMIT CB.BIND.SY1.** CLASS(CBIND) ID(WSCFG1) ACCESS(CONTROL)
Used for determining if a client can use J2EE applications in a serverRDEFINE CBIND CB.SY1.** UACC(READ)SETROPTS RACLIST(CBIND) GENERIC(CBIND) REFRESH
Setting up EJBRoles Profiles for admin roles when using SAF authorizationSETROPTS CLASSACT(EJBROLE)SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)
Defining roles for SAF accessRDEFINE EJBROLE SY1.administrator UACC(NONE)RDEFINE EJBROLE SY1.auditor UACC(NONE)
RDEFINE EJBROLE SY1.monitor UACC(NONE)RDEFINE EJBROLE SY1.configurator UACC(NONE)RDEFINE EJBROLE SY1.operator UACC(NONE)RDEFINE EJBROLE SY1.deployer UACC(NONE)RDEFINE EJBROLE SY1.adminsecuritymanager UACC(NONE)PERMIT SY1.adminsecuritymanager CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)PERMIT SY1.auditor CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)
Setting up EJBRoles access for administrator and CRPERMIT SY1.administrator CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)
Setting up EJBRoles Profiles for Naming rolesRDEFINE EJBROLE SY1.CosNamingRead UACC(READ)PERMIT SY1.CosNamingRead CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)RDEFINE EJBROLE SY1.CosNamingWrite UACC(NONE)PERMIT SY1.CosNamingWrite CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)RDEFINE EJBROLE SY1.CosNamingCreate UACC(NONE)PERMIT SY1.CosNamingCreate CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)RDEFINE EJBROLE SY1.CosNamingDelete UACC(NONE)PERMIT SY1.CosNamingDelete CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)SETROPTS RACLIST(EJBROLE) REFRESH
Create SSL Certificate Authority certificateThis will be used to sign client and server certsRACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('WAS CertAuth for Security Domain') OU('SY1'))WITHLABEL('WebSphereCA') TRUST NOTAFTER(DATE(2018/12/31))
Facility class refresh SETROPTS RACLIST(FACILITY) REFRESH
Create WebSphere controller keyringRACDCERT ADDRING(WASKeyring.SY1) ID(ASCR1)
Generating certificate for WebSphere controller RACDCERT ID (ASCR1) GENCERT SUBJECTSDN(CN('BOSS0071.PLEX1.L2.IBM.COM') O('IBM') OU('SY1')) WITHLABEL('DefaultWASCert.SY1') SIGNWITH(CERTAUTH LABEL('WebSphereCA')) NOTAFTER(DATE(2018/12/31))
Connect controller certificate to controller keyring RACDCERT ID(ASCR1) CONNECT (LABEL('DefaultWASCert.SY1') RING(WASKeyring.SY1) DEFAULT)
Connect WebSphere CA certificate to controller keyring RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) LABEL('WebSphereCA') CERTAUTH)
Connect commercial CAs to controller keyring RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))
Generating certificate for Location Service DaemonRACDCERT ID (ASCR1) GENCERT SUBJECTSDN(CN('BOSS0071.PLEX1.L2.IBM.COM') O('IBM') OU('SY1')) WITHLABEL('DefaultDaemonCert.SY1') SIGNWITH(CERTAUTH LABEL('WebSphereCA')) NOTAFTER(DATE(2018/12/31))"
Connecting Daemon Certificate to the keyringRACDCERT ID(ASCR1) CONNECT (LABEL('DefaultDaemonCert.SY1') RING(WASKeyring.SY1) DEFAULT)
Create WebSphere servant keyringRACDCERT ADDRING(WASKeyring.SY1) ID(ASSR1)
Connect WAS CA Certificate to servant keyringRACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) LABEL('WebSphereCA') CERTAUTH)
Connect Commercial CAs to servant keyringRACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(ASSR1) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))
Creating SSL keyring for WebSphere administrator user idRACDCERT ADDRING(WASKeyring.SY1) ID(WSADMIN)
Connect WAS CA Certificate to WebSphere administrator keyringRACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) LABEL('WebSphereCA') CERTAUTH)
Connect Commercial CAs to WebSphere administrator keyringRACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1)" CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.SY1)" CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))
Creating SSL keyring for WebSphere asynch administratorRACDCERT ADDRING(WASKeyring.SY1) ID(WSADMSH)
Connect WAS CA Certificates to WebSphere asynch administrator keyringRACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) LABEL('WebSphereCA') CERTAUTH)
Connect Commercial CAs to WebSphere asynch administrator keyringRACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 3 Primary CA')USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH
label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(WSADMSH) CONNECT (RING(WASKeyring.SY1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH)
Creating Root and Signers keyrings RACDCERT ADDRING("WASKeyring.SY1.Root) ID(ASCR1)RACDCERT ADDRING("WASKeyring.SY1.Signers) ID(ASCR1)
Connect root CA certificates to the root keyrings RACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1.Root) LABEL('WebSphereCA') CERTAUTH USAGE(PERSONAL))
Connect default signers to the default signers keyringRACDCERT ID(ASCR1) CONNECT (RING(WASKeyring.SY1.Signers) LABEL('WebSphereCA') CERTAUTH)
Facility class refresh SETROPTS RACLIST(FACILITY) REFRESH
Creating Sync-to-thread profile Used for: Enabling Sync-to-thread. Controller region user ID needs READ or CONTROL access to enable Sync-to-thread. With READ access, only security environments representing users in the SURROGATE class are allowed, while CONTROL allows for security environments to represent any user. RDEFINE FACILITY BBO.SYNC.SY1.BBOC001 UACC(NONE)
Creating EnableTrustedApplications profile Used for: Allowing applications to perform operations normally reserved for privileged users. RDEFINE FACILITY BBO.TRUSTEDAPPS.SY1.BBOC001 UACC(NONE)
Permit default WAS Configuration group to EnableTrustedApplications profile. PERMIT BBO.TRUSTEDAPPS.SY1.BBOC001 CLASS(FACILITY) ID(WSCFG1) ACCESS(READ)SETROPTS CLASSACT(FACILITY) GENERIC(FACILITY)SETROPTS RACLIST(FACILITY) REFRESH
Define permissions required for writable keyring supportSETR CLASSACT(RDATALIB)SETR RACLIST(RDATALIB) GENERIC(RDATALIB)RDEFINE RDATALIB ASCR1.**.LST UACC(NONE)RDEFINE RDATALIB ASSR1.**.LST UACC(NONE)PERMIT ASCR1.**.LST CLASS(RDATALIB) ID(WSCFG1) ACC(READ)PERMIT ASCR1.**.LST CLASS(RDATALIB) ID(ASCR1) ACC(CONTROL)PERMIT ASSR1.**.LST CLASS(RDATALIB) ID(ASCR1) ACC(CONTROL)PERMIT ASSR1.**.LST CLASS(RDATALIB) ID(ASSR1) ACC(CONTROL)
RDEFINE RDATALIB ASCR1.**.UPD UACC(NONE)RDEFINE RDATALIB ASSR1.**.UPD UACC(NONE)PERMIT ASCR1.**.UPD CLASS(RDATALIB) ID(ASCR1) ACC(CONTROL)PERMIT ASSR1.**.UPD CLASS(RDATALIB) ID(ASCR1) ACC(CONTROL)
RDEFINE RDATALIB WSADMIN.**.LST UACC(NONE)PERMIT WSADMIN.**.LST CLASS(RDATALIB) ID(WSCFG1) ACC(READ)PERMIT WSADMIN.**.LST CLASS(RDATALIB) ID(WSADMIN) ACC(CONTROL)
RDEFINE RDATALIB WSADMIN.**.UPD UACC(NONE)PERMIT WSADMIN.**.UPD CLASS(RDATALIB) ID(WSADMIN) ACC(CONTROL)SETR RACLIST(RDATALIB) REFRESHExample 1: z/OS security specific commands from DATA(BBOWBRAC)
Deployment Manager Server RACF commandsIn a network deployment setup, the next step is to move a Deployment Manager Server from WebSphere Application security to WebSphere for z/OS security by running the WCT choosing option 1 “Using a z/OS Security Product”. Once a new set of customization jobs are created, the DATA(BBODBRAC) contains the new RACF commands. Example 2: z/OS security specific commands from DATA(BBODBRAK) shows the additional RACF commands generated for z/OS security. Do not execute all the commands generated in DATA(BBODBRAK), rather only the commands after the comment “Activating classes needed only for z/OS security” should be executed. The prior commands have already been executed when setting up WebSphere security.
Note: The example commands were generated by choosing “Yes” for• Enable SSL on location service daemon• SAF Profile Prefix• Enable Writable SAF Keyring Support
The “Enable SSL on location service daemon” option will generate a keyring for the Daemon userid and connect the WebSphereCA signing certificate and personal certificate to the keyring.
The “SAF Profile Prefix” option will add a profile prefix to the CBIND, EJBROLE and APPL class profile
Activating classes needed only for z/OS security. SETROPTS CLASSACT(CBIND)SETROPTS RACLIST(CBIND) GENERIC(CBIND)SETROPTS CLASSACT(SURROGAT) GENERIC(SURROGAT)
Adding WAS unauthenticated user IDADDUSER WSGUEST RESTRICTED DFLTGRP(WSCFG1) OMVS(UID(2402) HOME(/var/WebSphere/home/WSCFG1)PROGRAM(/bin/sh)) NAME('WAS DEFAULT USER') NOPASSWORD NOOIDCARD
APPL class setup. Used to control client access to a WebSphere Application Server for z/OS cell or group of cells.RDEFINE APPL PLEX1 UACC(NONE)PERMIT PLEX1 CLASS(APPL) ID(WSCFG1) ACCESS(READ)PERMIT PLEX1 CLASS(APPL) ID(WSGUEST) ACCESS(READ)SETROPTS RACLIST(APPL) REFRESH
Define and permit CB.BIND. profile to CBIND classUsed for determining if a client can access a controller regionAny userid can gain access to the controller region if it has READ access to the CB.BIND.cluster_name profileRDEFINE CBIND CB.BIND.PLEX1.** UACC(READ)PERMIT CB.BIND.PLEX1.** CLASS(CBIND) ID(WSCFG1) ACCESS(CONTROL)
Define and permit CB. profile to CBIND classUsed for determining if a client can use J2EE applications in a serverRDEFINE CBIND CB.PLEX1.** UACC(READ)SETROPTS RACLIST(CBIND) GENERIC(CBIND) REFRESH
Setting up EJBRoles Profiles for admin roles when using SAF authorizationSETROPTS CLASSACT(EJBROLE)SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)
Defining roles for SAF accessRDEFINE EJBROLE PLEX1.administrator UACC(NONE)RDEFINE EJBROLE PLEX1.auditor UACC(NONE)RDEFINE EJBROLE PLEX1.monitor UACC(NONE)RDEFINE EJBROLE PLEX1.configurator UACC(NONE)RDEFINE EJBROLE PLEX1.operator UACC(NONE)
RDEFINE EJBROLE PLEX1.deployer UACC(NONE)RDEFINE EJBROLE PLEX1.adminsecuritymanager UACC(NONE)PERMIT PLEX1.adminsecuritymanager CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)PERMIT PLEX1.auditor CLASS(EJBROLE) ID(WSADMIN) ACCESS(READ)
Setting up EJBRoles access for administrator and CRPERMIT PLEX1.administrator CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)
Setting up EJBRoles Profiles for Naming rolesRDEFINE EJBROLE PLEX1.CosNamingRead UACC(READ)PERMIT PLEX1.CosNamingRead CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)RDEFINE EJBROLE PLEX1.CosNamingWrite UACC(NONE)PERMIT PLEX1.CosNamingWrite CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)RDEFINE EJBROLE PLEX1.CosNamingCreate UACC(NONE)PERMIT PLEX1.CosNamingCreate CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)RDEFINE EJBROLE PLEX1.CosNamingDelete UACC(NONE)PERMIT PLEX1.CosNamingDelete CLASS(EJBROLE) ID(WSCFG1) ACCESS(READ)SETROPTS RACLIST(EJBROLE) REFRESH
Create SSL Certificate Authority certificateThis will be used to sign client and server certsRACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('WAS CertAuth for Security Domain') OU('PLEX1'))WITHLABEL('WebSphereCA') TRUST NOTAFTER(DATE(2018/12/31))
Create WebSphere controller keyringRACDCERT ADDRING(WASKeyring.PLEX1) ID(ASCR1)
Generating certificate for WebSphere controller RACDCERT ID (DMCR1) GENCERT SUBJECTSDN(CN('boss0071.plex1.l2.ibm.com') O('IBM') OU('PLEX1')) WITHLABEL('DefaultWASCert.PLEX1 SIGNWITH(CERTAUTH LABEL('WebSphereCA'))NOTAFTER(DATE(2018/12/31)) Connect controller certificate to controller keyring RACDCERT ID(DMCR1) CONNECT (LABEL('DefaultWASCert.PLEX1') RING(WASKeyring.PLEX1) DEFAULT)
Connect WebSphere CA certificate to controller keyring RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) LABEL('WebSphereCA') CERTAUTH)
Connect commercial CAs to controller keyring RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))
Create WebSphere servant keyringRACDCERT ADDRING(WASKeyring.PLEX1) ID(DMSR1)
Connect WAS CA Certificate to servant keyringRACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) LABEL('WebSphereCA') CERTAUTH)
Connect Commercial CAs to servant keyringRACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))
RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(DMSR1) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))
Creating SSL keyrings for WebSphere administrator RACDCERT ADDRING(WASKeyring.PLEX1) ID(WSADMIN)
Connect WAS CA Certificate to WebSphere administrator keyringRACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) LABEL('WebSphereCA') CERTAUTH)
Connect Commercial CAs to WebSphere administrator keyringRACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 3 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign Class 1 Primary CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('RSA Secure Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Premium Server CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Basic CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Freemail CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Thawte Personal Premium CA') USAGE(CERTAUTH))RACDCERT ID(WSADMIN) CONNECT (RING(WASKeyring.PLEX1) CERTAUTH label('Verisign International Svr CA') USAGE(CERTAUTH))
RACDCERT ADDRING(WASKeyring.PLEX1.Root) ID(DMCR1)RACDCERT ADDRING(WASKeyring.PLEX1.Signers) ID(DMCR1)
Connect root CA certificates to the root keyrings RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1.Root) LABEL('WebSphereCA') CERTAUTH USAGE(PERSONAL))
Connect default signers to the default signers keyring RACDCERT ID(DMCR1) CONNECT (RING(WASKeyring.PLEX1.Signers) LABEL('WebSphereCA') CERTAUTH)
Facility class refresh SETROPTS RACLIST(FACILITY) REFRESH
Creating Sync-to-thread profile Used for: Enabling Sync-to-thread. Controller region user ID needs READ or CONTROL access to enable Sync-to-thread. With READ access, only security environments representing users in the SURROGATE class are allowed, while CONTROL allows for security environments to represent any user. RDEFINE FACILITY BBO.SYNC.PLEX1.** UACC(NONE)
Creating EnableTrustedApplications profile Used for: Allowing applications to perform operations normally reserved for privileged users. RDEFINE FACILITY BBO.TRUSTEDAPPS.PLEX1.** UACC(NONE)
Permit default WAS Configuration group to EnableTrustedApplications profile. PERMIT BBO.TRUSTEDAPPS.PLEX1.** CLASS(FACILITY) ID(WSCFG1) ACCESS(READ)SETROPTS CLASSACT(FACILITY) GENERIC(FACILITY)
SETROPTS RACLIST(FACILITY) REFRESH
Define permissions required for writable keyring supportSETR CLASSACT(RDATALIB)SETR RACLIST(RDATALIB) GENERIC(RDATALIB)RDEFINE RDATALIB DMCR1.**.LST UACC(NONE)RDEFINE RDATALIB DMSR1.**.LST UACC(NONE)PERMIT DMCR1.**.LST CLASS(RDATALIB) ID(WSCFG1) ACC(READ)PERMIT DMCR1.**.LST CLASS(RDATALIB) ID(DMCR1) ACC(CONTROL)PERMIT DMSR1.**.LST CLASS(RDATALIB) ID(DMCR1) ACC(CONTROL)PERMIT DMSR1.**.LST CLASS(RDATALIB) ID(DMSR1) ACC(CONTROL)
RDEFINE RDATALIB DMCR1.**.UPD UACC(NONE)RDEFINE RDATALIB DMSR1.**.UPD UACC(NONE)PERMIT DMCR1.**.UPD CLASS(RDATALIB) ID(DMCR1) ACC(CONTROL)PERMIT DMSR1.**.UPD CLASS(RDATALIB) ID(DMCR1) ACC(CONTROL)
RDEFINE RDATALIB WSADMIN.**.LST UACC(NONE)PERMIT WSADMIN.**.LST CLASS(RDATALIB) ID(WSCFG1) ACC(READ)PERMIT WSADMIN.**.LST CLASS(RDATALIB) ID(WSADMIN) ACC(CONTROL)RDEFINE RDATALIB WSADMIN.**.UPD UACC(NONE)PERMIT WSADMIN.**.UPD CLASS(RDATALIB) ID(WSADMIN) ACC(CONTROL)SETR RACLIST(RDATALIB) REFRESH
Example 2: z/OS security specific commands from DATA(BBODBRAK)
Enable SAF authorizationMapping of userids to roles in J2EE applications and in the WebSphere runtime can be managed by the WebSphere application server or by SAF security product.
When Default authorization is selected the WebSphere application server is responsible for managing the userid to role mapping. For example, userids are mapped to administrative roles in the administrative console under “Users and Groups” section. These settings are stored in the admin-authz.xml file in the HFS. In addition, userids are mapped to application roles during deployment of an application in the step “Map security roles to users or groups” which is stored in the application's extended descriptor files.
When System Authorization Facility (SAF) authorization is selected, the userids are permitted to roles defined in the security product. The HFS files used for Default Authorization are ignored.
Choosing WebSphere Security or No Security in the WCT - Administrative Security Selection panel will setup WebSphere with Default Authorization, and choosing “Use a z/OS security product” will setup WebSphere with SAF authorization.
In the administrative console:
Security → Global Security → External authorization providers
Change the authorization from Default Authorization to System Authorization Facility (SAF) authorization
As shown in Figure 3: External Authorization Providers
Figure 3: External Authorization Providers
Enable SAF delegationWebSphere Application Server supports the function of delegation which allows a user identity to be represented as a J2EE role. Userids can be permitted to a role for purposes of authentication and authorization. After successful authentication, delegation in combination with a RunAs role can be used to have a method run under a specific ID.
For example, a web application configured for Basic Authentication can be setup with a RunAS role called TestRole. The example RACF definition permits USERA to TestRole, but delegates TestRole to USERB using the APPLDATA.
SETROPTS CLASSACT(EJBROLE)RDEFINE EJBROLE PLEX1.TestRole UACC(NONE) APPLDATA(USERB)PERMIT PLEX1.TestRole CLASS(EJBROLE) ID(USERA) ACCESS(READ) SETROPTS RACLIST(EJBROLE) REFRESH
After USERA has authenticated to the web application, the user principal executing on the thread will be USERB.
Note: The example commands were generated by specifying PLEX1 as the optionalSAF profile prefix in the WebSphere Customization Tool, therefore EJBROLE and CBIND class definitions will contain this prefix.
•• The SAF profile prefix can be found in the administrative console SAF profile prefix textfield• Global security > External authorization providers > SAF authorization options
Choosing SAF authorization in the security WCT - Administrative Security Selection panel will also enable SAF delegation. SAF delegation requires SAF authorization to be enabled. Although it is not required to enable SAF delegation, the step is provided to be consistent with a system setup with SAF authorization.
In the administrative console:
Security → Global Security → External authorization providers → SAF Authorization options
Check the box for Enable SAF Delegation
As shown in Figure 4: SAF authorization options - Delegation
Figure 4: SAF authorization options - Delegation
Switch from Federated Repository to Local OS During the customization of WebSphere, choosing the second option to configure with WebSphere Application Server Security or the third option to configure with no security, sets the current realm definition for the user account repository to Federated Repositories. To configure WebSphere to use the z/OS security product the current realm definition should be changed to Local operating system in the administrative console.
In the administrative console:
Security → Global Security → Available realm definitions
Change the realm from Federated Repositories to Local operating System
As shown in Figure 5: User Account Repository Realm Definition
Figure 5: User Account Repository Realm Definition
SSL Configuration Changes One of the major differences between WebSphere Security and z/OS security is the repository where certificates are stored. The SSL settings are managed by a set of inbound and outbound SSL configurations that consist of a keystore and truststore. The following sections describe the SSL configuration changes needed when moving from WebSphere Security to z/OS Security.
Server SSL Configuration SummaryCertificates used for SSL communication can be stored in either an HFS file or a SAF keyring on WebSphere for z/OS. WebSphere uses either a KeyStore or TrustStore to access these certificates. A KeyStore is a repository that contains one or more personal certificates signed by a certificate authority, and each certificate's corresponding private key. A TrustStore is a special type of KeyStore which contains one or more signer certificates and each certificate's corresponding public key belonging to another trusted party. The certificates in the TrustStore are considered trusted certificates because the TrustStore owner trusts that the public key in each certificate indeed belongs to the party identified by the subject (owner) of that certificate.
Choosing WebSphere security or No Security will setup a KeyStore and TrustStore, each pointing to the absolute path of a PKCS12 file in the HFS. Error: Reference source not found illustrates the default KeyStore (NodeDefaultKeyStore) and TrustStore (NodeDefaultTrustStore) pointing to files key.p12 and trust.p12 respectively.
In order to access certificates stored in the SAF security product, the KeyStore and TrustStore will need to contain a path that points to a SAF keyring. The format of the path is safkeyring:/// where the is the name of the keyring created after running the jobs generated from customization dialogues in which SAF security was chosen.
Client SSL Configuration SummaryThin client and J2EE application clients that make outbound SSL calls to the WebSphere application server will usually use the following java properties to point to a configuration file for client security settings. In addition, several of the WebSphere shell scripts such as wsadmin.sh, launchClient.sh, addNode.sh, and other scripts use these properties.
• com.ibm.CORBA.ConfigURL = /profiles/default/properties/sas.client.props• com.ibm.SOAP.ConfigURL = /profiles/default/properties/soap.client.props• com.ibm.SSL.ConfigURL = /profiles/default/properties/ssl.client.props
The file sas.client.props controls configuration settings for outbound RMI-IIOP calls, and the file soap.client.props controls configuration settings for outbound SOAP calls. Both files contain a property that points to an SSL configuration to be used by the client.
• com.ibm.ssl.alias = DefaultSSLSettingsThe SSL configuration referred to by the alias property is defined in the ssl.client.props file.
Choosing WebSphere security or No Security will setup a KeyStore and TrustStore, each pointing to the absolute path of a PKCS12 file in the HFS.
Example 3: Section from ssl.client.props for WebSphere Security or No Security shows an example of the default keyStoreName (ClientDefaultKeyStore) and the default trustStoreName (ClientDefaultTrustStore) pointing to keyStore file key.p12 and trustStore file trust.p12 respectively. The default setup for WebSphere's HFS based keystore contains a keyStoreType and a trustStoreType of PKCS12 (Public Key Cryptography Standards version 12) and a password encoded using an {xor} algorithm. The keyStoreFileBased and trustStoreFileBased properties are set to true since the repository for which the certificates are contained in is an HFS file.
To change the ssl.client.props file from using an HFS based certificate repository to using a SAF Keyring the following properties need to be changed.
• com.ibm.ssl.keyStore• com.ibm.ssl.keyStorePassword• com.ibm.ssl.keyStoreType• com.ibm.ssl.keyStoreFileBased• com.ibm.ssl.trustStore• com.ibm.ssl.trustStorePassword• com.ibm.ssl.trustStoreType• com.ibm.ssl.trustStoreFileBased
The KeyStore and TrustStore will need to contain a path that points to a SAF keyring. The format of the path is safkeyring:/// where the is the name of the keyring created after running the jobs generated from customization dialogues in which SAF security was chosen. The keyStoreType and trustStoreType should be of the type JCERACFKS (Java Cryptography Extension Resource Access Control Facility Keystore). The keyStorePassword and trustStorePassword should be set to the value of “password” or the value of “{xor}Lz4sLCgwLTs=” which is the string “password” after being encoded using the {xor} algorithm. Finally the keyStoreFileBased and trustStoreFileBased properties should be set to false since SAF keyrings are not HFS based files.
Example 3: Section from ssl.client.props for WebSphere Security or No Security shows the default KeyStore (ClientDefaultKeyStore) and the default TrustStore (ClientDefaultTrustStore) pointing to files key.p12 and trust.p12.
Example 4: Section from ssl.client.props setup with z/OS Security shows the default settings for these properties when WebSphere is setup with z/OS security.
#-------------------------------------------------------------------------# This SSL configuration is used for all client SSL connections, by default#-------------------------------------------------------------------------com.ibm.ssl.alias=DefaultSSLSettingscom.ibm.ssl.protocol=SSL_TLScom.ibm.ssl.securityLevel=HIGHcom.ibm.ssl.trustManager=IbmPKIXcom.ibm.ssl.keyManager=IbmX509com.ibm.ssl.contextProvider=IBMJSSE2com.ibm.ssl.enableSignerExchangePrompt=gui#com.ibm.ssl.keyStoreClientAlias=default#com.ibm.ssl.customTrustManagers=#com.ibm.ssl.customKeyManager=#com.ibm.ssl.dynamicSelectionInfo=#com.ibm.ssl.enabledCipherSuites=
# KeyStore informationcom.ibm.ssl.keyStoreName=ClientDefaultKeyStorecom.ibm.ssl.keyStore=${user.root}/etc/key.p12com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=com.ibm.ssl.keyStoreType=PKCS12com.ibm.ssl.keyStoreProvider=IBMJCEcom.ibm.ssl.keyStoreFileBased=true
# TrustStore informationcom.ibm.ssl.trustStoreName=ClientDefaultTrustStorecom.ibm.ssl.trustStore=${user.root}/etc/trust.p12com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=com.ibm.ssl.trustStoreType=PKCS12com.ibm.ssl.trustStoreProvider=IBMJCEcom.ibm.ssl.trustStoreFileBased=truecom.ibm.ssl.trustStoreReadOnly=falseExample 3: Section from ssl.client.props for WebSphere Security or No Security
Base Configuration SSL SetupIn this section, the steps are given for creating a new keystore and trustore that point to a SAF keying, and for validating that the keyring can be accessed by viewing the signer and personal certificate from the administrative console. In addition, the existing SSL configuration and HFS SSL client properties file are updated to use the new keystore and truststore.
Before proceeding with this section disable dynamic runtime updates of SSL configuration changes so that the changes are not reflected until the server is restarted. This will prevent a user from getting logged off the administrative console or other complications as SSL changes are being made.
In the administrative console:
Security → Global Security → SSL certificate and key management
Uncheck Dynamically update the run time when SSL configuration changes occur
Click Apply and then save the changes.
Restart Application server to pick up the change.
Figure 6: Disabling dynamic runtime updates of SSL configuration changes
Creating a Node Level KeyStore and TrustStore to point to a SAF keyring The existing NodeDefaultKeyStore and NodeDefaultTrustStore will point to key.p12 and trust.p12 files as shown in Error: Reference source not found.
Figure 7: HFS Based KeyStore and TrustStore
Creating a new KeyStore using the administrative console
In the administrative console:
Security → Global Security → SSL certificate and key management → Key stores and certificates
Change the Keystore Usages dropdown to SSL Keystores
Click the New button
➔ Name: NodeDefaultSAFKeyStore
➔ Managerment Scope:
➔ Path: safkeyring:///WASKeyring.SY1
➔ Control region user:
➔ Servant region user:
➔ Password: password
➔ Confirm Password: password
➔ Type: JCERACFKS
➔ Read Only checked
Click Apply and then save the changes.
Figure 8: New SAF KeyStore
Creating a new TrustStore using the administrative console
In the administrative console:
Security → Global Security → SSL certificate and key management → Key stores and certificates
Change the Keystore Usages dropdown to SSL Keystores
Click the New button
➔ Name: NodeDefaultSAFTrustStore
➔ Managerment Scope:
➔ Path: safkeyring:///WASKeyring.SY1
➔ Control region user:
➔ Servant region user:
➔ Password: password
➔ Confirm Password: password
➔ Type: JCERACFKS
➔ Read Only checked
Click Apply and then save the changes.
Figure 9: New SAF TrustStore
Viewing the new SAF KeyStore and TrustStore
The NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore should now be listed showing a path pointing to a SAF keyring as illustrated in Figure 10: NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore.
Figure 10: NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore
Viewing the Signer and Personal Certificate Restart the WebSphere application server and confirm that the SAF keyring pointed to by the NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore can be accessed and viewed by WebSphere.
In the administrative console:
Security → Global Security → SSL certificate and key management → Key stores and certificates → NodeDefaultSAFTrustStore → Signer Certificates
The signer certificate generated by the customization jobs should be listed as shown in Figure 11:NodeDefaultSAFTrustStore Signer Certificate.
In the administrative console:
Security → Global Security → SSL certificate and key management → Key stores and certificates → NodeDefaultSAFKeyStore → Personal Certificates
The personal certificate signed by the signer certificate should be listed as shown in
Figure 11: NodeDefaultSAFTrustStore Signer Certificate
If no signer certificates are displayed in the NodeDefaultSAFTrustStore or no personal certificates are displayed in the NodeDefaultSAFKeyStore then there may be a problem with the configuration. Review section TroubleShooting Keystore and Truststore setup for possible ways to diagnose the problem.
Figure 12: NodeDefaultSAFKeyStore Personal Certificate
Update Node Level SSL Configuration to use new KeyStore & TrustStoreThe SSL configuration NodeDefaultSSLSettings should be updated to use the newly created SAF KeyStore and SAF TrustStore. Additionally, the alias of the personal certificate to be used as the default should be selected.
In the administrative console:
Security → Global Security → SSL certificate and key management → SSL Configurations → NodeDefaultSSLSettings
➔ From the Truststore name dropdown select: NodeDefaultSAFTrustStore
➔ From the Keystore name dropdown select: NodeDefaultSAFKeyStore
Click Get certificate aliases button to populate the Default server certificate alias and Default client certificate alias dropdown.
Click Apply and then save the changes.
As shown in Figure 13: NodeDefaultSSLSettings TrustStore and KeyStore
Figure 13: NodeDefaultSSLSettings TrustStore and KeyStore
Update Application Server ssl.client.props
Example 4: Section from ssl.client.props setup with z/OS Security shows the default KeyStore (ClientDefaultKeyStore) and the default TrustStore (ClientDefaultTrustStore) pointing to a SAF Keyring called WASKeyring.SY1.
#-------------------------------------------------------------------------# This SSL configuration is used for all client SSL connections, by default#-------------------------------------------------------------------------com.ibm.ssl.alias=DefaultSSLSettingscom.ibm.ssl.protocol=SSL_TLScom.ibm.ssl.securityLevel=HIGHcom.ibm.ssl.trustManager=IbmPKIXcom.ibm.ssl.keyManager=IbmX509com.ibm.ssl.contextProvider=IBMJSSE2com.ibm.ssl.enableSignerExchangePrompt=gui#com.ibm.ssl.keyStoreClientAlias=default#com.ibm.ssl.customTrustManagers=#com.ibm.ssl.customKeyManager=#com.ibm.ssl.dynamicSelectionInfo=#com.ibm.ssl.enabledCipherSuites=
# KeyStore informationcom.ibm.ssl.keyStoreName=ClientDefaultKeyStorecom.ibm.ssl.keyStore=safkeyring:///WASKeyring.SY1com.ibm.ssl.keyStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.keyStoreType=JCERACFKScom.ibm.ssl.keyStoreProvider=IBMJCEcom.ibm.ssl.keyStoreFileBased=false
# TrustStore informationcom.ibm.ssl.trustStoreName=ClientDefaultTrustStorecom.ibm.ssl.trustStore=safkeyring:///WASKeyring.SY1com.ibm.ssl.trustStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.trustStoreType=JCERACFKScom.ibm.ssl.trustStoreProvider=IBMJCEcom.ibm.ssl.trustStoreFileBased=falsecom.ibm.ssl.trustStoreReadOnly=trueExample 4: Section from ssl.client.props setup with z/OS Security
Note: The properties com.ibm.ssl.keyStorePassword and com.ibm.ssl.trustStorePassword show the value of “{xor}Lz4sLCgwLTs=” which is the string “password” after being encoded using the {xor} algorithm. It can be substituted for the literal string “password” as seen below:
com.ibm.ssl.keyStorePassword=passwordcom.ibm.ssl.trustStorePassword=password
Ensure that there are no trailing spaces after any of the properties as this can lead to errors.
Network Deployment SSL SetupIn this section, the steps are given for creating a new keystore and trustore that point to a SAF keying, and for validating that the keyring can be accessed by viewing the signer and personal certificate from the administrative console. In addition, the existing SSL configuration and HFS SSL client properties file are updated to use the new keystore and truststore.
Before proceeding with this section disable dynamic runtime updates of SSL configuration changes.
In the administrative console:
Security → Global Security → SSL certificate and key management
Uncheck Dynamically update the run time when SSL configuration changes occur
Click Apply and then save the changes.
Restart Application server to pick up the change.
Figure 14: Disabling dynamic runtime updates of SSL configuration changes
Creating a Cell Level KeyStore and TrustStore to point to a SAF keyringThe existing CellDefaultKeyStore and CellDefaultTrustStore will point to key.p12 and trust.p12 files as shown in Figure 15: HFS Based KeyStore and TrustStore
Figure 15: HFS Based KeyStore and TrustStore
Creating a new KeyStore using the administrative consoleIn the administrative console:
Security → Global Security → Manage endpoint security configurations → Key stores and certificates
Click the New button
➔ Name: CellDefaultSAFKeyStore
➔ Managerment Scope:
➔ Path: safkeyring:///WASKeyring.PLEX1
➔ Password: password
➔ Confirm Password: password
➔ Read only checked
Click Apply and then save the changes.
Figure 16: New SAF KeyStore
Creating a new TrustStore using the administrative console
In the administrative console:
Security → Global Security → Manage endpoint security configurations → Key stores and certificates
Click the New button
➔ Name: CellDefaultSAFTrustStore
➔ Managerment Scope:
➔ Path: safkeyring:///WASKeyring.PLEX1
➔ Password: password
➔ Confirm Password: password
➔ Read only checked
Click Apply and then save the changes.
Figure 17: New SAF TrustStore
Viewing the new KeyStore and TrustStore
The CellDefaultSAFKeyStore and CellDefaultSAFTrustStore should now be listed showing a path pointing to a SAF keyring as illustrated in Figure 18: CellDefaultSAFKeyStore and CellDefaultSAFTrustStore
Figure 18: CellDefaultSAFKeyStore and CellDefaultSAFTrustStore
Viewing the Signer and Personal Certificate
Restart the WebSphere application server and confirm that the SAF keyring pointed to by the CellDefaultSAFKeyStore and CellDefaultSAFTrustStore can be accessed and viewed by WebSphere.
In the administrative console:
Security → Global Security → Manage endpoint security configurations → Key stores and certificates → CellDefaultSAFTrustStore → Signer certificates
The signer certificate generated by the customization jobs should be listed as shown in Figure 19:CellDefaultSAFTrustStore Signer Certificate
Figure 19: CellDefaultSAFTrustStore Signer Certificate
In the administrative console:
Security → SSL certificate and key management → Manage endpoint security configurations → Key stores and certificates → CellDefaultSAFKeyStore → Personal certificates
The personal certificate signed by the signer certificate should be listed as shown in Figure 20:CellDefaultSAFKeyStore Personal Certificate
Figure 20: CellDefaultSAFKeyStore Personal Certificate
Creating a New Node Level KeyStore and TrustStore to point to a SAF keyringThe NodeDefaultSSLSettings configuration will show the existing and newly created cell level keystores and truststores, and the existing NodeDefaultKeyStore and NodeDefaultTrustStore which still point to key.p12 and trust.p12 files as shown in Figure 21: HFS Based KeyStore and TrustStore
At this Node scope the CellDefaultSAFKeyStore and CellDefaultSAFTrustStore can also be seen as displayed previously at the cell scope in section Viewing the new KeyStore and TrustStore.
Figure 21: HFS Based KeyStore and TrustStore
Creating a new KeyStore using the administrative console
Security → Global Security → SSL certificate and key management → Key stores and certificates
Change the Keystore Usages dropdown to SSL Keystores
Click the New button
➔ Name: NodeDefaultSAFKeyStore
➔ Managerment Scope:
➔ Path: safkeyring:///WASKeyring.SY1
➔ Control region user:
➔ Servant region user:
➔ Password: password
➔ Confirm Password: password
➔ Type: JCERACFKS
➔ Read Only checked
Click Apply and then save the changes.
Figure 22: New SAF KeyStore
Creating a new TrustStore using the administrative console
In the administrative console:
Security → Global Security → SSL certificate and key management → Key stores and certificates
Change the Keystore Usages dropdown to SSL Keystores
Click the New button
➔ Name: NodeDefaultSAFTrustStore
➔ Managerment Scope:
➔ Path: safkeyring:///WASKeyring.SY1
➔ Control region user:
➔ Servant region user:
➔ Password: password
➔ Confirm Password: password
➔ Type: JCERACFKS
➔ Read Only checked
Click Apply and then save the changes.
Figure 23: New SAF TrustStore
Viewing the new KeyStore and TrustStore
The NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore should now be listed showing a path pointing to a SAF keyring as illustrated in Figure 24: NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore
Figure 24: NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore
Viewing the Signer and Personal Certificate
Restart the WebSphere application server and confirm that the SAF keyring pointed to by the NodeDefaultSAFKeyStore and NodeDefaultSAFTrustStore can accessed and viewed by WebSphere
In the administrative console:
Security → Global Security → SSL certificate and key management → Key stores and certificates → NodeDefaultSAFTrustStore → Signer certificates
The signer certificate generated by the customization jobs should be listed as shown in Figure 25:NodeDefaultSAFTrustStore Signer Certificate
Figure 25: NodeDefaultSAFTrustStore Signer Certificate
In the administrative console:
Security → Global Security → SSL certificate and key management → Key stores and certificates → NodeDefaultSAFKeyStore → Personal certificates
The personal certificate signed by the signer certificate should be listed as shown in Figure 26: NodeDefaultSAFKeyStore Personal Certificate
Figure 26: NodeDefaultSAFKeyStore Personal Certificate
Update Cell Level SSL Configuration to use new KeyStore & TrustStoreThe SSL configuration CellDefaultSSLSettings should be updated to use the newly created SAF KeyStore and SAF TrustStore. Additionally the alias of the personal certificate to be used as the default should be selected.
In the administrative console:
Security → Global Security → SSL certificate and key management → SSL configurations → CellDefaultSSLSettings
➔ From the Truststore name dropdown select: CellDefaultSAFTrustStore
➔ From the Keystore name dropdown select: CellDefaultSAFKeyStore
Click Get certificate aliases button to populate the Default server certificate alias and Default client certificate alias dropdown.
Click Apply and then save the changes.
As shown in Figure 27: CellDefaultSSLSettings TrustStore and KeyStore:
Figure 27: CellDefaultSSLSettings TrustStore and KeyStore
Update Node Level SSL Configuration to use new KeyStore & TrustStoreThe SSL configuration NodeDefaultSSLSettings should be updated to use the newly created SAF KeyStore and SAF TrustStore. Additionally the alias of the personal certificate to be used as the default should be selected.
In the administrative console:
Security → Global Security → SSL certificate and key management → SSL configurations → NodeDefaultSSLSettings
➔ From the Truststore name dropdown select: NodeDefaultSAFTrustStore
➔ From the Keystore name dropdown select: NodeDefaultSAFKeyStore
Click Get certificate aliases button to populate the Default server certificate alias and Default client certificate alias dropdown.
Click Apply and then save the changes.
As shown in Figure 28: NodeDefaultSSLSettings TrustStore and Keystore
Figure 28: NodeDefaultSSLSettings TrustStore and Keystore
Update Deloyment Manager ssl.client.props
Example 5: Section from ssl.client.props setup with z/OS Security shows the default KeyStore (ClientDefaultKeyStore) and the default TrustStore (ClientDefaultTrustStore) pointing to a SAF Keyring called WASKeyring.SY1.
The ssl.client.props is located in the HFS at:/DeploymentManager/profiles/default/properties/ssl.client.props
#-------------------------------------------------------------------------# This SSL configuration is used for all client SSL connections, by default#-------------------------------------------------------------------------com.ibm.ssl.alias=DefaultSSLSettingscom.ibm.ssl.protocol=SSL_TLScom.ibm.ssl.securityLevel=HIGHcom.ibm.ssl.trustManager=IbmPKIXcom.ibm.ssl.keyManager=IbmX509com.ibm.ssl.contextProvider=IBMJSSE2com.ibm.ssl.enableSignerExchangePrompt=gui#com.ibm.ssl.keyStoreClientAlias=default#com.ibm.ssl.customTrustManagers=#com.ibm.ssl.customKeyManager=#com.ibm.ssl.dynamicSelectionInfo=#com.ibm.ssl.enabledCipherSuites=
# KeyStore informationcom.ibm.ssl.keyStoreName=ClientDefaultKeyStorecom.ibm.ssl.keyStore=safkeyring:///WASKeyring.PLEX1com.ibm.ssl.keyStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.keyStoreType=JCERACFKScom.ibm.ssl.keyStoreProvider=IBMJCEcom.ibm.ssl.keyStoreFileBased=false
# TrustStore informationcom.ibm.ssl.trustStoreName=ClientDefaultTrustStorecom.ibm.ssl.trustStore=safkeyring:///WASKeyring.PLEX1com.ibm.ssl.trustStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.trustStoreType=JCERACFKScom.ibm.ssl.trustStoreProvider=IBMJCEcom.ibm.ssl.trustStoreFileBased=falsecom.ibm.ssl.trustStoreReadOnly=trueExample 5: Section from ssl.client.props setup with z/OS Security
Note: The properties com.ibm.ssl.keyStorePassword and com.ibm.ssl.trustStorePassword show the value of “{xor}Lz4sLCgwLTs=” which is the string “password” after being encoded using the {xor} algorithm. It can be substituted for the literal string “password” as seen below:
com.ibm.ssl.keyStorePassword=passwordcom.ibm.ssl.trustStorePassword=password
Ensure that there are no trailing spaces after any of the properties as this can lead to errors.
Update Application Server ssl.client.props
Example 6: Section from ssl.client.props setup with z/OS Security shows the default KeyStore (ClientDefaultKeyStore) and the default TrustStore (ClientDefaultTrustStore) pointing to a SAF Keyring called WASKeyring.SY1.
The ssl.client.props is located in the HFS at:/AppServer/profiles/default/properties/ssl.client.props
#-------------------------------------------------------------------------# This SSL configuration is used for all client SSL connections, by default#-------------------------------------------------------------------------com.ibm.ssl.alias=DefaultSSLSettingscom.ibm.ssl.protocol=SSL_TLScom.ibm.ssl.securityLevel=HIGHcom.ibm.ssl.trustManager=IbmPKIXcom.ibm.ssl.keyManager=IbmX509com.ibm.ssl.contextProvider=IBMJSSE2com.ibm.ssl.enableSignerExchangePrompt=gui#com.ibm.ssl.keyStoreClientAlias=default#com.ibm.ssl.customTrustManagers=#com.ibm.ssl.customKeyManager=#com.ibm.ssl.dynamicSelectionInfo=#com.ibm.ssl.enabledCipherSuites=
# KeyStore informationcom.ibm.ssl.keyStoreName=ClientDefaultKeyStorecom.ibm.ssl.keyStore=safkeyring:///WASKeyring.SY1com.ibm.ssl.keyStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.keyStoreType=JCERACFKScom.ibm.ssl.keyStoreProvider=IBMJCEcom.ibm.ssl.keyStoreFileBased=false
# TrustStore informationcom.ibm.ssl.trustStoreName=ClientDefaultTrustStorecom.ibm.ssl.trustStore=safkeyring:///WASKeyring.SY1com.ibm.ssl.trustStorePassword={xor}Lz4sLCgwLTs=com.ibm.ssl.trustStoreType=JCERACFKScom.ibm.ssl.trustStoreProvider=IBMJCEcom.ibm.ssl.trustStoreFileBased=falsecom.ibm.ssl.trustStoreReadOnly=trueExample 6: Section from ssl.client.props setup with z/OS Security
Note: The properties com.ibm.ssl.keyStorePassword and com.ibm.ssl.trustStorePassword show the value of “{xor}Lz4sLCgwLTs=” which is the string “password” after being encoded using the {xor} algorithm. It can be substituted for the literal string “password” as seen below:
com.ibm.ssl.keyStorePassword=passwordcom.ibm.ssl.trustStorePassword=password
Ensure that there are no trailing spaces after any of the properties as this can lead to errors.
TroubleShooting Keystore and Truststore setupWhen attempting to switch from WebSphere Security to z/OS Security problems may occur in which a user can not use the certificates in RACF. Some common external symptoms that may be encountered include:
• Certificates can not be viewed from the administrative console.• SSL handshake errors when logging onto the administrative console or during node synchronization.• SSL handshake errors when attempting to connect with WebSphere shell scripts such as wsadmin.sh to
the Deployment Manager or Application Server.
The following sections provide a list of items to review to help identify incorrect setup of SAF keyring or certificates.
Server diagnostics after switching to z/OS SecurityList of items to review in RACF for Keyrings and Certificates:
1. Confirm that the WebSphere administrative group is permitted to IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING profiles in the FACILITY class with READ access.
2. Confirm that the SAF Keyring being used is connected to control region's userid, and contains a signer certificate and a personal certificate. RACDCERT LISTRING(keyring_name) ID(control_region_userid)
3. Confirm that the SAF Keyring being used is connected to servant region's userid, and contains a signer certificate. RACDCERT LISTRING(keyring_name) ID(servant_region_userid)
4. Display the details of the signer certificate, and confirm that it has TRUST status and is not expired.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))
5. Display the details of the personal certificate, and confirm that it has TRUST status and is not expired.RACDCERT LIST (label(‘PersonalCert')) ID(userid)
6. Follow the certificate chain to confirm a personal certificate is signed by the signer certificate. This can be done by confirming that the Issuer's Name of the personal certificate matches the Subject's Name of the certificate that signed it. A certificate chain may be multiple levels, and this step will need to be repeated up to the root certificate. The Issuer's Name will match the Subject's Name for a root certificate.
Note: Section Required Facility Setup for SAF Keyrings provides example commands and output for item 1.
Sections Base Application Server / Managed Node Keyring and Certificates and Deployment Manager Keyring and Certificates provide example commands and output for items 2 through 5.
Client diagnostics after switching to z/OS SecurityList of items to review in RACF for Keyrings and Certificates
1. Confirm that the client userid is permitted to IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING profiles in the FACILITY class with READ access.
2. Confirm keystore and truststore in ssl.client.props is pointing to a SAF keyring.3. Confirm that the SAF Keyring being used is connected to client userid, and contains a signer certificate.
of the Deployment Manager (Network Deployment) or Application Server (Base) control region. RACDCERT LISTRING(keyring_name) ID(client_userid)
4. Display the details of the signer certificate, and confirm that it has TRUST status and is not expired.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))
5. Follow the certificate chain to confirm that the personal certificate on the keyring of the Deployment Manager userid (Network Deployment) or Application Server userid (Base) was signed by the signer certificate on the keyring of the client userid. This can be done by confirming that the Issuer's Name of the personal certificate matches the Subject's Name of the certificate that signed it. A certificate chain may be multiple levels, and this step will need to be repeated up to the root certificate. The Issuer's Name will match the Subject's Name for a root certificate.
Note: Section Required Facility Setup for SAF Keyrings provides example commands and output for item 1.
Section Base Application Server / Managed Node Keyring and Certificates and Error: Reference source not found provides example output for item 2.
When submitting a job that executes a shell script that makes an outbound SSL call (ie. wsadmin.sh, addNode.sh) ensure that the job is submitted with the correct client id (ie. wsadmin or equivalent).
When executing shell scripts from an OMVS shell or telnet session that makes an outbound SSL call (ie. wsadmin.sh, addNode.sh) be sure to be logged in with the correct client userid (ie. wsadmin or equivalent).
Example z/OS Security Setup with RACF OutputsThis section provides RACF commands to obtain information about FACILITY profiles, Keyrings and certificates used in an example z/OS security setup.
Userids and KeyringsThe groupid and userids used in this security setup:
GroupID UserID Keyring DescriptionWSCFG1 DMCR1 WASKeyring.PLEX1 Deployment Manager Control Region Userid
DMSR1 WASKeyring.PLEX1 Deployment Manager Servant Region Userid
ASCR1 WASKeyring.SY1 Node Agent Control Region UseridApplication Server Control Region Userid
ASSR1 WASKeyring.SY1 Application Server Servant Region Userid
WSDMNCR1 WASKeyring.PLEX1WASKeyring.SY1
Daemon Userid on DeploymentManager LPARDaemon Userid on Application Server LPAR
ASCRA1 WASKeyring.SY1 Adjunct Control Region Userid
WSADMIN WASKeyring.PLEX1WASKeyring.SY1
WebSphere Administrative Userid
WSADMSH WASKeyring.SY1 Default Asynch Admin Task Userid
Table 2: Userid and Keyring Used in Sample Commands
Required Facility Setup for SAF KeyringsWebSphere administrative group WSCFG1 is permitted with READ access to IRR.DIGTCERT.LIST profile in FACILITY class.RLIST FACILITY IRR.DIGTCERT.LIST ALLCLASS NAME ----- ---- FACILITY IRR.DIGTCERT.LISTLEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING ----- -------- ---------------- ----------- ------- 00 IBMUSER CONTROL ALTER NO INSTALLATION DATA NONE APPLICATION DATA NONE SECLEVEL NO SECLEVEL CATEGORIES NO CATEGORIES SECLABEL NO SECLABEL AUDITING FAILURES(READ) NOTIFY NO USER TO BE NOTIFIED
CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE (DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR) ------------- ------------------- ---------------- 075 03 075 03 075 03 ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT ----------- ------------- ------------ ---------- 000000 000000 000000 000000 USER ACCESS ACCESS COUNT ---- ------ ------ ----- IBMUSER ALTER 000000 WSCFG1 READ 000000 ID ACCESS ACCESS COUNT CLASS ENTITY NAME -------- ------- ------------ -------- ---------------------------------------NO ENTRIES IN CONDITIONAL ACCESS LIST WebSphere administrative group WSCFG1 is permitted with READ access to IRR.DIGTCERT.LISTRING profile in FACILITY class.RLIST FACILITY IRR.DIGTCERT.LISTRING ALL CLASS NAME ----- ---- FACILITY IRR.DIGTCERT.LISTRING LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING ----- -------- ---------------- ----------- ------- 00 IBMUSER CONTROL ALTER NO INSTALLATION DATA NONE APPLICATION DATA NONE SECLEVEL NO SECLEVEL CATEGORIES NO CATEGORIES SECLABEL NO SECLABEL AUDITING FAILURES(READ) NOTIFY NO USER TO BE NOTIFIED CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE (DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR) ------------- ------------------- ---------------- 075 03 075 03 075 03 ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT ----------- ------------- ------------ ---------- 000000 000000 000000 000000 USER ACCESS ACCESS COUNT ---- ------ ------ ----- IBMUSER ALTER 000000 WSCFG1 READ 000000 ID ACCESS ACCESS COUNT CLASS ENTITY NAME -------- ------- ------------ -------- ---------------------------------------NO ENTRIES IN CONDITIONAL ACCESS LIST
Signing certificate WebSphereCA used in all keyringsDisplaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))Digital certificate information for CERTAUTH: Label: WebSphereCA Certificate ID: 2QiJmZmDhZmjgeaFguKXiIWZhcPB Status: TRUST Start Date: 2010/09/01 00:00:00 End Date: 2018/12/31 23:59:59 Serial Number: >00< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Key Usage: CERTSIGN Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: WSDMNCR1 Ring: >WASKeyring.SY1< Ring Owner: ASCR1 Ring: >WASKeyring.SY1< Ring Owner: ASSR1 Ring: >WASKeyring.SY1< Ring Owner: ASCRA1 Ring: >WASKeyring.SY1< Ring Owner: WSADMIN Ring: >WASKeyring.SY1< Ring Owner: CBSYMCR1 Ring:>WASKeyring.SY1.Root< Ring Owner: CBSYMCR1 Ring:>WASKeyring.SY1.Signers< Ring Owner: WSADMSH Ring: >WASKeyring.PLEX1<Ring Owner: WSDMNCR1 Ring: >WASKeyring.PLEX1< Ring Owner: DMCR1 Ring: >WASKeyring.PLEX1< Ring Owner: DMSR1 Ring: >WASKeyring.PLEX1< Ring Owner: WSADMIN Ring: >WASKeyring.PLEX1< Ring Owner: DMCR1 Ring: >WASKeyring.PLEX1.Root< Ring Owner: DMCR1 Ring: >WASKeyring.PLEX1.Signers<
Deployment Manager Keyring and Certificates
Listing the certificates for the SAF Keyring connected to the Deployment Manager control region's userid.
RACDCERT LISTRING(WASKeyring.PLEX1) ID(DMCR1)Digital ring information for user DMCR1: Ring: >WASKeyring.PLEX1< Certificate Label Name Cert Owner USAGE DEFAULT -------------------------------- ------------ -------- ------- DefaultWASDmgrCert.PLEX1 ID(DMCR1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO DefaultDaemonCert.PLEX1 ID(DMCR1) PERSONAL YES
Listing the certificates for the SAF Keyring connected to the Deployment Manager servant region's userid.
RACDCERT LISTRING(WASKeyring.PLEX1) ID(DMSR1)Digital ring information for user DMSR1: Ring: >WASKeyring.PLEX1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO
Displaying Personal certificate details for the Deployment Managers control region's userid.RACDCERT LIST (LABEL('DefaultWASDmgrCert.PLEX1')) ID(DMCR1)Digital certificate information for user DMCR1: Label: DefaultWASDmgrCert.PLEX1 Certificate ID: 2QXE1MPZ8cSFhoGkk6PmweLElIeZw4WZo0vX08Xn8UBAStatus: TRUST Start Date: 2010/09/01 00:00:00 End Date: 2018/12/31 23:59:59 Serial Number: >06< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=PLEX1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: DMCR1 Ring:>WASKeyring.PLEX1<
Displaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))See section Signing certificate WebSphereCA used in all keyrings
Base Application Server / Managed Node Keyring and Certificates
Listing the certificates for the SAF Keyring connected to the Application Server control region's userid.
RACDCERT LISTRING(WASKeyring.SY1) ID(ASCR1)Digital ring information for user ASCR1: Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT -------------------------------- ------------ -------- ------- DefaultWASCert.SY1 ID(ASCR1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO
Listing the certificates for the SAF Keyring connected to the Application Server servant region's userid.
RACDCERT LISTRING(WASKeyring.SY1) ID(ASSR1)Digital ring information for user ASSR1: Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO
Displaying Personal certificate details for the Application Server control region's userid.RACDCERT LIST (LABEL('DefaultWASCert.SY1')) ID(ASCR1)Digital certificate information for user ASCR1: Label: DefaultWASCert.SY1 Certificate ID: 2QjDwuLo1MPZ8cSFhoGkk6PmweLDhZmjS+Lo8UBA Status: TRUST Start Date: 2007/11/16 00:00:00 End Date: 2010/12/31 23:59:59 Serial Number: >02< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=SY1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: ASCR1 Ring:>WASKeyring.SY1<
Displaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))See section Signing certificate WebSphereCA used in all keyrings
Daemon Keyring and Certificates
Listing the certificates for the SAF Keyring connected to the Daemon userid on PLEX1.
RACDCERT LISTRING(WASKeyring.PLEX1) ID(WSDMNCR1)Digital ring information for user WSDMNCR1:Ring: >WASKeyring.PLEX1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------DefaultWASDmDaemonCert.PLEX1 ID(WSDMNCR1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO
Displaying Personal certificate details for the Daemon userid on PLEX1.
RACDCERT LIST (LABEL('DefaultWASDmDaemonCert.PLEX1')) ID(WSDMNCR1)Digital certificate information for user WSDMNCR1: Label: DefaultWASDmDaemonCert.PLEX1 Certificate ID: 2QjDwsTU1cPZ8cSFhoGkk6PmweLElMSBhZSWlcOFmaNL19PF5/FAStatus: TRUST Start Date: 2007/11/16 00:00:00 End Date: 2010/12/31 23:59:59 Serial Number: >05< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=PLEX1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: WSDMNCR1 Ring: >WASKeyring.PLEX1<
Displaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))See section Signing certificate WebSphereCA used in all keyrings
Listing the certificates for the SAF Keyring connected to the Daemon userid on SY1.
RACDCERT LISTRING(WASKeyring.SY1) ID(WSDMNCR1)Digital ring information for user WSDMNCR1: Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------DefaultDaemonCert.SY1 ID(WSDMNCR1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO Verisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO
Displaying Personal certificate details for the Daemon userid on SY1.RACDCERT LIST (LABEL('DefaultDaemonCert.SY1')) ID(WSDMNCR1)Digital certificate information for user WSDMNCR1: Label: DefaultDaemonCert.SY1 Certificate ID: 2QjDwsTU1cPZ8cSFhoGkk6PEgYWUlpXDhZmjS+Lo8UBAStatus: TRUST Start Date: 2007/11/16 00:00:00 End Date: 2010/12/31 23:59:59 Serial Number: >01< Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=SY1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: WSDMNCR1 Ring:>WASKeyring.SY1<
Displaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))See section Signing certificate WebSphereCA used in all keyrings
Adjunct Keyring and Certificates
Listing the certificates for the SAF Keyring connected to the Adjunct control region's userid.
RACDCERT LISTRING(WASKeyring.SY1) ID(ASCRA1)Digital ring information for user ASCRA1: Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------DefaultAdjunctCert.SY1 ID(ASCRA1) PERSONAL YES WebSphereCA CERTAUTH CERTAUTH NO
Displaying Personal certificate details for the Adjunct control region's useridRACDCERT LIST (label('DefaultAdjunctCert.SY1')) ID(ASCRA1)Digital certificate information for user ASCRA1: Label: DefaultAdjunctCert.SY1 Certificate ID: 2QbB4sPZwfHEhYaBpJOjwYSRpJWDo8OFmaNL4ujxStatus: TRUST Start Date: 2007/11/16 00:00:00 End Date: 2010/12/31 23:59:59 Serial Number: >03<Issuer's Name: >CN=WAS CertAuth for Security Domain.OU=SY1< Subject's Name: >CN=BOSSXXXX.PLEX1.L2.IBM.COM.OU=SY1.O=IBM< Private Key Type: Non-ICSF Private Key Size: 1024 Ring Associations: Ring Owner: ASCRA1 Ring: >WASKeyring.SY1<
Displaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))See section Signing certificate WebSphereCA used in all keyrings
WebSphere Administrative Userid Keyring and Certificates
Listing the certificates for the SAF Keyring connected to the WebSphere administrative userid on PLEX1.
RACDCERT LISTRING(WASKeyring.PLEX1) ID(WSADMIN)Ring: >WASKeyring.PLEX1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NOVerisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO
Listing the certificates for the SAF Keyring connected to the WebSphere administrative userid on SY1.
RACDCERT LISTRING(WASKeyring.SY1) ID(WSADMIN)Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NOVerisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO
Listing the certificates for the SAF Keyring connected to the Default Async admin task userid on SY1
RACDCERT LISTRING(WASKeyring.SY1) ID(WSADMSH)Digital ring information for user WSADMSH:Ring: >WASKeyring.SY1< Certificate Label Name Cert Owner USAGE DEFAULT-------------------------------- ------------ -------- -------WebSphereCA CERTAUTH CERTAUTH NOVerisign Class 3 Primary CA CERTAUTH CERTAUTH NO Verisign Class 1 Primary CA CERTAUTH CERTAUTH NO RSA Secure Server CA CERTAUTH CERTAUTH NO Thawte Server CA CERTAUTH CERTAUTH NO Thawte Premium Server CA CERTAUTH CERTAUTH NO Thawte Personal Basic CA CERTAUTH CERTAUTH NO Thawte Personal Freemail CA CERTAUTH CERTAUTH NO Thawte Personal Premium CA CERTAUTH CERTAUTH NO Verisign International Svr CA CERTAUTH CERTAUTH NO
Displaying Signer certificate details.RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))See section Signing certificate WebSphereCA used in all keyrings
ConclusionWebSphere is now configured with z/OS Security.
We welcome any feedback that may help improve this document. E-mail Keith Jabcuga ([email protected]) and Kawsar Kamal ([email protected]) with any suggestions.
mailto:[email protected]:[email protected]
IntroductionBefore you beginSecurity OptionsComparison of Security Options
Moving from No Security to WebSphere SecurityServer Customization JobsBase Application Server or Managed Node RACF commandsDeployment Manager Server RACF commands
Enable SAF authorizationEnable SAF delegationSwitch from Federated Repository to Local OS SSL Configuration Changes Server SSL Configuration SummaryClient SSL Configuration Summary
Base Configuration SSL SetupCreating a Node Level KeyStore and TrustStore to point to a SAF keyring Creating a new KeyStore using the administrative consoleCreating a new TrustStore using the administrative consoleViewing the new SAF KeyStore and TrustStore Viewing the Signer and Personal Certificate
Update Node Level SSL Configuration to use new KeyStore & TrustStoreUpdate Application Server ssl.client.props
Network Deployment SSL SetupCreating a Cell Level KeyStore and TrustStore to point to a SAF keyringCreating a new KeyStore using the administrative consoleCreating a new TrustStore using the administrative consoleViewing the new KeyStore and TrustStoreViewing the Signer and Personal Certificate
Creating a New Node Level KeyStore and TrustStore to point to a SAF keyringCreating a new KeyStore using the administrative consoleCreating a new TrustStore using the administrative consoleViewing the new KeyStore and TrustStoreViewing the Signer and Personal Certificate
Update Cell Level SSL Configuration to use new KeyStore & TrustStoreUpdate Node Level SSL Configuration to use new KeyStore & TrustStoreUpdate Deloyment Manager ssl.client.props Update Application Server ssl.client.props
TroubleShooting Keystore and Truststore setupServer diagnostics after switching to z/OS SecurityClient diagnostics after switching to z/OS Security
Example z/OS Security Setup with RACF OutputsUserids and KeyringsRequired Facility Setup for SAF KeyringsSigning certificate WebSphereCA used in all keyringsDeployment Manager Keyring and CertificatesBase Application Server / Managed Node Keyring and CertificatesDaemon Keyring and CertificatesAdjunct Keyring and CertificatesWebSphere Administrative Userid Keyring