Setting up SUBCA1 and SUBCA2 under ROOTCA
This chapter describes how to set up the intermediate CAs SUBCA1 and SUBCA2 and includes the following topics:
3.1 SUBCA1 set up
The first intermediate certificate authority that is set up is named subca1. As an intermediate certificate authority, the digital certificate that is representing the SUBCA1 CA is digitally signed by the root certificate authority.
We must establish the chain of trust. If the root certificate authority is trusted, any certificates that are issued by the Intermediate also are trusted.
All of the ROOTCA configurations are used as the base for SUBCA1.
3.1.1 Creating SUBCA1 certificate request
Complete the following steps to create the PKCS#10 request by using the RACF RACDCERT commands:
1. Use the ISPF command shell to issue the following RACDCERT GENCERT command, which generated a certificate and a public and private key pair (the created certificate is not used, only the key pair is used going forward):
RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU('SUBCA1 ITSO PKI Red Book') O('IBM') C('US')) WITHLABEL('SUBCA1 PKI CA')
2. Create the PKCS#10 certificate request by using RACDCERT GENREQ. Use the public and private key pair that was created in the previous step. The request is to be saved in the PKISRVD.SUBCA1.REQ data set. On the ISPF command shell, enter the following command:
RACDCERT CERTAUTH GENREQ(LABEL('SUBCA1 PKI CA')) DSN('PKISRVD.SUBCA1.REQ')
3.1.2 Requesting the SUBCA1 certificate to be signed by ROOTCA
SUBCA1 must make a request to the Rootca. Enter the following URL in a browser:
Figure 3-1 shows the page that is displayed. Choose 5-Year PKI Intermediate CA Certificate from the drop-down list and then, click Request Certificate.
Figure 3-1 Intermediate CA certificate application
You are prompted to enter information about the certificate, as shown in Figure 3-2.
Figure 3-2 Top part of 5-Year PKI Intermediate CA Certificate form
Although most fields on this page are optional, the Pass phrase for securing this request field must be completed.
|
Note: Enter and remember a meaningful pass phrase. The pass phrase is used later to retrieve the digital certificate that was created by PKI services.
|
3. Scroll down the web page and see that to complete the certificate request, you must enter a Base64 encoded PKCS#10 certificate request, as shown in Figure 3-3.
Figure 3-3 PKCS#10 option
This information is needed because a CA certificate is being requested. CA certificates for z/OS PKI Services are required to be in RACF.
|
Note: Do not submit the certificate request or close browser window. We return to this window later in the process.
|
4. Open the data set PKISRVD.SUBCA1.REQ., which was created in “Creating SUBCA1 certificate request” on page 38. The content is shown in Figure 3-4.
|
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC0zCCAbsCAQAwPTELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEgMB4GA1UE
CxMXU1VCQ0ExIElCTSBQS0kgUmVkQm9va3MwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCqRY97NPZLiatXJ3PvtLf03XLVIYj/cOu6IdIgoFiedvnZwDLQ
iu2ktxCDxJL1Lu1YAlRqxb70hHw4w5JF1BmRpf0gbfx9OlsT4r/cX66wFJ2kYzEf
D9Osst/VPmOC0vcJhc/r2q9/kd6huYXPiy5HV8Y6X0OfsZVPW6unIOKHUnQZc/OW
weVoYuthc5dl8KVM+jHZrn8ZxtrzqJKcyIeddb9GVLmvpGe36CLPXnToF+9qBI5Z
tf7n2BEePrS8v+pgYzNva1iWXFW/gLbqN2wwVUTlP7GXzIuAHBs2z3H7FbgGAyxC
NO/a1OKFpemcT4Y6jqr09Cl9u1TSVdo4sI0XAgMBAAGgUTBPBgkqhkiG9w0BCQ4x
QjBAMB0GA1UdDgQWBBQ6EeGGOIHqqDD18ZvFG9gIzHmHfDAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABl7lQEQMnMC2
N5yTy4S6z2MfWEyN0FDn1Ztc1gfQD6t2V91iImPTaWfI3Oez2JMpSg1pTddbv9Wi
ehXqav27KBhGIhcn2fi0OR1Q1OHfM3F0ZcayebXquf8z1iKvvFLxPBHQyQaXrO9s
DKSX4efIIOAj/RiUYOMKOkUIcb7L46HVbmlar3zLvxGpZK0FYx9ZgfkpznBqTbwZ
2Zw6Aaiadbo0BrvMc7aTT4lmRvnx15jIFSYS86pB1ZIFQrKj3q/6s0e1T2li+1nc
eKuCG9hd4c0Owo8Sk/uFTOTMGb3cXeuNRYPW5a+5z63msP44+fWlOJatdBsWR0+5
vbo5/ZXHrA==
-----END NEW CERTIFICATE REQUEST-----
|
Figure 3-4 Contents of PKCS#10 certificate request in Base64 format
5. Select the contents of the certificate request, including the comment lines at the top and bottom of the window. Select Copy from the toolbar.
6. Return to the web browser, where the request form for the 5-year PKI intermediate CA certificate should be still open. Paste the PKCS#10 request in the provided field, as shown in Figure 3-3 on page 41.
Do not complete any other information in the optional fields of the web form.
|
Note: Entering information into the optional fields on the web form overrides the information in the PKCS#10 file.
|
7. Click Submit certificate request to complete request. A page opens in which it is confirmed the request was submitted successfully, as shown in Figure 3-5.
Figure 3-5 Request submitted successfully
The certificate request is submitted.
|
Note: Record the transaction ID because it is required to retrieve the digital certificate along with the pass phrase that was defined in the request.
|
The default configuration of PKI Services is to automatically approve all intermediary certificate requests and to generate all pending certificates every 3 minutes. By using this configuration, you can retrieve your certificate after the next scheduled update.
3.1.3 Retrieving SUBCA1 certificate
To retrieve the certificate, return to main user page by using the following URL (see Figure 3-6):
http://wtsc76.itso.ibm.com/Rootca/public-cgi/camain.rexx
Figure 3-6 PKI Services Certificate Generation Application main page
Complete the following steps:
1. Under Pick up a previously requested certificate, enter the assigned transaction ID that you received in 3.1.2, “Requesting the SUBCA1 certificate to be signed by ROOTCA” on page 39.
2. Select PKI Server certificate from the drop-down menu.
3. Click Pick up certificate.
The window that opens is shown in Figure 3-7.
Figure 3-7 Retrieve Your PKI Server Certificate window
4. Enter the pass phrase that you used for the certificate request and click Continue.
If the certificate was not yet issued, the PKI Services web application returns the error message that is shown in Figure 3-8.
Figure 3-8 Request is yet to be issued
If this error is shown, wait for a few minutes and then, try again.
The web page that is returned that contains the digital certificate is shown in Figure 3-9. This certificate is signed by the RootCA.
Figure 3-9 Retrieved Digital Certificate created and signed by RootCA
3.1.4 Adding the SUBCA1 certificate to RACF
Complete the following steps to add the SUBCA1 certificate to the RACF database:
1. Copy the certificate from the browser. Ensure that the complete certificate is copied, including the comment lines.
2. Return to the 3270 emulation and open the 3.4 data set list utility.
3. Copy the PKISRVD.SUBCA1.REQ data set by entering a “/” character (without the quotes) in front of the data set and selecting option 17 - copy.
4. Choose a new data set name PKISRVD.SUBCA1.CRT.
5. Open PKISRVD.SUBCA1.CRT in edit mode and delete its content.
6. Paste the certificate from the PKI services web page as shown in Figure 3-10 on page 46 and Figure 3-11 on page 46. Make sure to copy the entire certificate, which might require more than one paste to the data set (depending on how many lines you can see on the 3270 panel). Use the paste next function if your emulator supports it.
Figure 3-10 Digital Certificate pasted into data set window 1 of 2
Figure 3-11 Digital Certificate pasted into data set window 2 of 2
7. Save the data set and then, go to the ISPF command shell. Enter the following command to add the certificate to RACF without specifying the label. It is added under the original label SUBCA1 PKI CA:
RACDCERT CERTAUTH ADD(‘PKISRVD.SUBCA1.CRT’)
8. To review this certificate, enter the following command:
RACDCERT CERTAUTH LIST(label('SUBCA1 PKI CA'))
The response is shown in Figure 3-12 on page 47.
|
Label: SUBCA1 PKI CA
Certificate ID: 2QiJmZmDhZmjgeLkwsPB8UDX0slAw8FA
Status: TRUST
Start Date: 2016/09/06 00:00:00
End Date: 2021/09/04 23:59:59
Serial Number:
>03<
Issuer's Name:
>OU=ROOTCA IBM PKI RedBooks.O=IBM.C=US<
Subject's Name:
>OU=SUBCA1 IBM PKI RedBooks.O=IBM.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 2048
Private Key: YES
Ring Associations:
*** No rings associated ***
|
Figure 3-12 Listing of SUBCA1 PKI CA digital certificate in RACF
The intermediate certificate for SUBCA1 is generated, signed by the Root CA (see Issuers’ name), and is now in RACF.
3.1.5 Creating and customizing the UNIX files for SUBCA1
The intermediate certificate authority is set up by using the same base infrastructure as the root CA. The web server and LDAP setup from the previous chapter is used.
In this section, we describe the process that was used to create the new PKI services certificate authority.
Creating Subca1 directory
From your 3270 emulation ISPF, go to the ISPF command shell (option 6) and enter OMVS. After you are in UNIX System Services, complete the following steps:
1. Browse to the following PKI directory:
cd /etc/pkiserv
2. Create a directory that is named subca2 by using the following command:
mkdir subca1
3. Copy the contents of rootca to subca1. The following copied files are then customized for subca1:
cp -p /etc/pkiserv/rootca/pkiserv.conf /etc/pkiserv/subca1
cp -p /etc/pkiserv/rootca /pkiserv.tmpl /etc/pkiserv/subca1
cp -p /etc/pkiserv/rootca/pkiserv.envars /etc/pkiserv/subca1
cp -p /etc/pkiserv/rootca /*.form /etc/pkiserv/subca1
Customizing pkiserv.conf for Subca1
Complete the following steps:
1. Open the pkiserv.conf file by using the following command (the file contains the configuration setting for PKI Services):
oedit pkiserv.conf
2. Change all occurrences of rootca to subca1. Notice that upper and lowercase letters are used in different places.
3. Save and close pkiserv.conf.
Customizing pkiserv.tmpl for Subca1
Complete the following steps:
1. Open the pkiserv.tmpl file by using the following command (this file contains the templates that are used to build the HTML windows and forms that are used in the web pages):
oedit pkiserv.tmpl
2. Change all occurrences of rootca to subca1. Notice that upper and lowercase letters are used in different places.
3. Save pkiserv.tmpl.
Customizing pkiserv.envars for Subca1
The steps are as follows:
1. Open the pkiserv.envars file by using the following command (this file contains the Subca1 environmental variable for PKI services):
oedit pkiserv.envars
2. Change all occurrences of rootca to subca1. Notice that upper and lowercase letters are used in different places.
3. Save and close pkiserv.envars.
Customizing *.forms for Subca1
Edit all of the *.form files to customize the domain information. Change all occurrences of rootca to subca1. Notice that upper and lowercase letters are used in different places.
Changing the file owner
Complete the following steps:
1. Check the file permission bits and owner of the configuration files by using the following command:
ls -lt
You can see that all files belong to the user ID that copied the files from rootca. This status must be changed so that the task that is started later can pick up the files (PKISRVD is our STC user for the PKI services daemon started task).
2. Change the file owner to PKI Services daemon user ID PKISRVD by using the following command:
chown PKISRVD *.*
3.1.6 Creating the VSAM data sets for SUBCA1
In “Defining the ROOTCA VSAM data sets” on page 7, the job IKYCVSAM was copied from SYS1.SAMPLIB to your set up data set to create the VSAM files for the root CA. Copy this data set and make the following edits:
•Change the job name.
•Issue the c ROOTCA SUBCA1 all change command.
Submit the job. The SUBCA1 VSAM data sets are shown in Figure 3-13.
|
PKISRVD.SUBCA1.VSAM.ICL.DA
PKISRVD.SUBCA1.VSAM.ICL.IX
PKISRVD.SUBCA1.VSAM.ICL.REQAIX
PKISRVD.SUBCA1.VSAM.ICL.REQAIX.DA
PKISRVD.SUBCA1.VSAM.ICL.REQAIX.IX
PKISRVD.SUBCA1.VSAM.ICL.REQUESTR
PKISRVD.SUBCA1.VSAM.ICL.STATAIX
PKISRVD.SUBCA1.VSAM.ICL.STATAIX.DA
PKISRVD.SUBCA1.VSAM.ICL.STATAIX.IX
PKISRVD.SUBCA1.VSAM.ICL.STATUS
PKISRVD.SUBCA1.VSAM.OST
PKISRVD.SUBCA1.VSAM.OST.AIX
PKISRVD.SUBCA1.VSAM.OST.AIX.DA
PKISRVD.SUBCA1.VSAM.OST.AIX.IX
PKISRVD.SUBCA1.VSAM.OST.DA
PKISRVD.SUBCA1.VSAM.OST.IX
PKISRVD.SUBCA1.VSAM.OST.PATH
PKISRVD.SUBCA1.VSAM.OST.REQAIX
PKISRVD.SUBCA1.VSAM.OST.REQAIX.DA
PKISRVD.SUBCA1.VSAM.OST.REQAIX.IX
PKISRVD.SUBCA1.VSAM.OST.REQUESTR
PKISRVD.SUBCA1.VSAM.OST.STATAIX
PKISRVD.SUBCA1.VSAM.OST.STATAIX.DA
PKISRVD.SUBCA1.VSAM.OST.STATAIX.IX
PKISRVD.SUBCA1.VSAM.OST.STATUS
|
Figure 3-13 SUBCA1 VSAM data sets list
3.1.7 Creating certificate, key ring, and authorization for SUBCA1
Because most of the set-up steps were done for ROOTCA through IKYSETUP, we do not need to run IKYSETUP again for SUBCA1. Only profiles that are specific for SUBCA1 must be created. Complete the following steps to create the RACF key ring for SUBCA1 and connect the corresponding certificates to the key ring (the PKI user ID also is authorized to use the new domain):
1. Create a Registration Authority (RA) certificate with digital certificate that is signed by subca1, as shown in the following example:
RACDCERT ID(PKISRVD) GENCERT SUBJECTSDN(CN('Registration Authority') OU('SUBCA1 ITSO PKI Red Book') O('IBM') C('US')) KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH LABEL('SUBCA1 PKI CA')) NOTAFTER(DATE(2020/11/19)) WITHLABEL('SUBCA1 PKI RA')
2. Create the PKI Services key ring for SUBCA1 and connect the CA and RA certificates to it by issuing the following commands:
RACDCERT ADDRING(CAring.SUBCA1) ID(PKISRVD)
RACDCERT ID(PKISRVD) CONNECT(CERTAUTH LABEL('SUBCA1 PKI CA')
RING(CAring.SUBCA1) USAGE(PERSONAL) DEFAULT)
RACDCERT ID(PKISRVD) CONNECT(LABEL('SUBCA1 PKI RA') RING(CAring.SUBCA1)
USAGE(PERSONAL))
RACDCERT ID(PKISRVD) CONNECT(CERTAUTH LABEL('ROOTCA PKI CA') RING(CAring.SUBCA1))
3. List the content of the ring by issuing the following command. The response is shown in Figure 3-14:
RACDCERT ID(PKISRVD) LISTRING(CAring.SUBCA1)
Figure 3-14 SUBCA1 CAring response
4. Use the following definitions to allow the PKI Services user ID PKISERV to request certificate functions:
RDEFINE FACILITY IRR.RPKISERV.*.SUBCA1
PERMIT IRR.RPKISERV.*.SUBCA1 CLASS(FACILITY) ID(PKISERV) ACCESS(CONTROL)
5. Create the profile to protect PKI Admin functions by issuing the following commands:
RDEFINE FACILITY IRR.RPKISERV.PKIADMIN.SUBCA1
PERMIT IRR.RPKISERV.PKIADMIN.SUBCA1 CLASS(FACILITY) ID(PKIGRP) ACCESS(UPDATE)
PERMIT IRR.RPKISERV.PKIADMIN.SUBCA1 CLASS(FACILITY) ID(PKISERV) ACCESS(NONE)
SETROPTS RACLIST(FACILITY) REFRESH
6. Connect the SUBCA1 PKI CA certificate to the HTTP server key ring by using the following commands:
RACDCERT ID(WEBSRV) CONNECT(CERTAUTH LABEL('SUBCA1 PKI CA')
RING(SSLring))
3.1.8 Starting SUBCA1
Complete the following steps to start the SUBCA1 domain:
1. Issue the following command to start SUBCA1:
s pkiservd,jobname=subca1,dir='/etc/pkiserv/subca1'
2. Complete the following steps to modify the ACL entry for CRL (which includes a critical attribute) so that any user can see the CRL:
a. Create a file that is named changeacl.ldif that includes the content that is shown in Figure 3-15 on page 51.
|
dn: OU=SUBCA1 ITSO PKI Red Book,O=IBM,C=US
changetype: modify
aclentry: group:cn=anybody:normal:rsc:system:rsc:critical:rsc
|
Figure 3-15 ACL entry modifications
b. Issue the following command:
ldapmodify -h wtsc76.itso.ibm.com -p 390 -D cn=admin -w secret -f changeacl.ldif
3. Stop and restart the HTTP server to pick up the update on the SSLring keyring by using the following commands:
S IHSSRVER,ACTION='STOP'
S IHSSRVER
4. Enter the URL http://wtsc76.itso.ibm.com/Subca1/public-cgi/camain.rexx into a browser and the window that opens is shown in Figure 3-16.
Figure 3-16 SUBCA1 User page
5. Test the admin page by using the following URL:
http://wtsc76.itso.ibm.com/AdmSubca1/public-cgi/camain.rexx
The window that opens is shown in Figure 3-17.
Figure 3-17 SUBCA1 admin start page
3.2 SUBCA2 set up
The SUBCA2 set-up is the same as SUBCA1. Follow the same steps and change all of the SUBCA1 references to SUBCA2.
Access SUBCA2 User page by using the following URL:
The page that opens is shown in Figure 3-18.
Figure 3-18 SUBCA2 User page
SUBCA2 User also can be accessed by using the following URL:
The page that opens is shown in Figure 3-19.
Figure 3-19 SUBCA2 admin start page
The three instances of PKI Services are now successfully set up with minimal configuration needed.
As of this writing, a video is planned that will show how to use the user and admin web pages.
More configurations are available for production. For more information, see Chapter 2 of z/OS PKI Services Guide and Reference.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.