Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

Expedite Base/MVS

advertisement 
Exporting certificates
How to export a certificate using Internet Explorer 7 for use with:
 Expedite Base/MVS 4.6.1
We want the new client certificate, the new root CA and the old root CA to co-exist in
the key database until July 9, then the new root CA will be the only one used.
1 – In Internet Explorer pull down Tools, select Internet Options, click tab Content:
2 - Highlight the certificate you wish to export and click "Export..." (the issued to
should say “PKI Service Root CA2”
3 - Click "Next >"
4 - Check "Yes, export the private key" and click "Next >"
5 - Check "Personal Information Exchange - PKCS #12 (.PFX)"
 Make sure that "Include all certificates in the certification path if possible" is
selected
 Make sure "Enable strong protection (requires IE 5.0, NT 5.0 SP4 or above)"
is selected
 Make sure "Delete the private key if the export is successful" is NOT selected.
 Click "Next >"
6 - Choose a password for the file and click "Next >"
NOTES:
1. Make a note of this password; it can NOT be retrieved from the certificate.
Internet Explorer will allow you to export a certificate without protecting it
with a password. Do NOT do this;
7 – Click browse:
Go to the directory where you want to save the certificate, specify a name for the
certificate and click "Save", which will bring you back to the previous screen, then
click “Next >”
NOTES:
1. Make sure you remember where you saved the certificate.
2. Give the certificate a useful name that distinguishes it ( the word “certificate”
might be a bit vague)
8 - Click "Finish"
9 - Click "OK"
There’s an Expedite Base/MVS 4.6 manual which can be downloaded here:
https://www.gxsolc.com/public/EDI/us/support/Library/Publications/ExpBaseMvsPro
gGuude45_c3422045.pdf
 On pages 185-188 (.pdf pages 201-204) it shows how to export the certificate.
It’s important to export it like is shown there.
o Make sure "Yes, export the private key" is selected in step 4.
o Also ensure that both "Include all certificates in the certification path if
possible" and "Enable strong protection (requires IE 5.0, NT 4.0 SP4
or above)" are ticked in step 5
 On page 188 (.pdf page 204) in step 8 it’s important to:
o Set the record length of the z/OS mounted HFS file to 2500.
o FTP the .pfx file as BINARY (see also next page).
 If you prefer to use a KEYRINGSTASHFILE instead of a
KEYRINGPASSWORD you can use option 10 on screen Key Management
Menu, Database: /u/user1/ ExpKeyDB.kdb on page 190 (.pdf page 206) which
says 10 – Store database password. That creates the KEYRINGSTASHFILE.
FTP’ing the .pfx as BINARY from the PC to the MVS is done like this:
FTP xxx.xxx.xxx.xxx
(amend as appropriate)
Sign on with your account/userid
(amend as appropriate)
cd ..
cd /u/sharisc/
(amend as appropriate)
binary
put certificate.pfx
(amend as appropriate)
quit
NOTE: Do not put the binary parameter on the put command as it will result in the
following error later when you attempt to create the keyringdatabase file:
Unable to import certificate and key.
Status 0x03353020 - Unrecognized file or message encoding.
From
http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.g
ska100/sssl2msg1001010.htm:
03353020 Unrecognized file or message encoding.
Explanation:
A file or message cannot be imported because the format is not recognized.
System SSL supports X.509 DER-encoded certificates, PKCS #7 signed data
messages, and PKCS #12 personal information exchange messages for certificate
import files. The import file data may be the binary data or the Base64-encoding of
the binary data.
System SSL supports PKCS #7 data, encrypted data, signed data, and enveloped data
for messages. This error can also occur if the message is not constructed properly.
User response:
Ensure that the import file or message has not been modified. A Base64-encoded
import file must be converted to the local code page when it is moved to another
system while a binary import file must not be modified when it is moved to another
system.
Storing the certificate in an existing key database
The first step is to log on to USS. You will use the IBM-supplied program gskkyman to manage
your keys and certificates. A sample session is shown below.
Opening a key database
1. From USS, invoke the gskkyman utility by typing gskkyman.
The Database Menu displays.
Database Menu
1
2
3
4
5
6
7
-
Create new database
Open database
Change database password
Change database record length
Delete database
Create key parameter file
Display certificate file (Binary or Base64 ASN.1 DER)
11
12
13
14
-
Create
Delete
Manage
Manage
new token
token
token
token from list of tokens
0 - Exit program
Enter option number: 2
Enter key database name (press ENTER to return to menu):
ExpKeyDB.kdb
Enter database password (press ENTER to return to menu):
2.
On the Enter option number line, type 2.
3. Enter the key database name of your existing key database. This field is case sensitive,
so make sure to type the name correctly. For example, you might type ExpKeyDB.kdb.
4.
Type the database password.
The key database is opened.
Continue with the steps in the next section.
Importing your certificate
Once you have opened the key database, you are ready to import your new certificate into it. You will
need the name and location of the pfx file that you sent by FTP to your z/OS machine.
When you press Enter in Step 4 of the previous procedure, the Key Management Menu displays.
Key Management Menu
Database: /u/user/ExpKeyDB.kdb
Expiration: None
1
2
3
4
5
6
7
8
9
10
11
-
Manage keys and certificates
Manage certificates
Manage certificate requests
Create new certificate request
Receive requested certificate or a renewal certificate
Create a self-signed certificate
Import a certificate
Import a certificate and a private key
Show the default key
Store database password
Show database record length
0 - Exit program
Enter
Enter
Enter
Enter
option number (press ENTER to return to previous menu): 8
import file name (press ENTER to return to menu):NewKey.pfx
import file password ((press ENTER to return to menu):
label (press ENTER to return to menu): ExpditeCert2011
1. Type 8 to Import a certificate and a private key and press Enter.
2. Type the import file name. This is the name you used when you sent the file by FTP to your
z/OS system.
3. Type the import file password.
4. Type the certificate label, such as ExpditeCert2011, and then press Enter.
The following message displays: Certificate and key imported. Press Enter and continue with the
instructions in the next section.
Setting the default certificate
You must set the certificate that you just imported as the default certificate.
Key Management Menu
Database: /u/user/ExpKeyDB.kdb
Expiration: None
1
2
3
4
5
6
7
8
9
10
11
-
Manage keys and certificates
Manage certificates
Manage certificate requests
Create new certificate request
Receive requested certificate or a renewal certificate
Create a self-signed certificate
Import a certificate
Import a certificate and a private key
Show the default key
Store database password
Show database record length
0 - Exit program
Enter option number (press ENTER to return to previous menu):
===> 1
1. On the Key Management Menu, type 1 and press Enter.
The Key and Certificate List screen displays.
Key and Certificate List
Database: /u/user/ExpKeyDB.kdb
1 - ExpditeCert
2 – ExpditeCert2011
0 - Return to selection menu
Enter label number (ENTER to return to selection menu, p for previous list):
2. Type the number next to the certificate label you just imported and press Enter. I am selecting option
2 as this was my new certificate.
The Key and Certificate Menu displays.
Key and Certificate Menu
Label: ExpditeCert2011
1
2
3
4
5
6
7
8
9
10
11
-
Show certificate information
Show key information
Set key as default
Set certificate trust status
Copy certificate and key to another database
Export certificate to a file
Export certificate and key to a file
Delete certificate and key
Change label
Create a signed certificate and key
Create a certificate renewal request
0 - Exit program
Enter option number (press ENTER to return to previous menu):
===> 3
3. Type 3 and press Enter.
The following message displays: Default key set.
4. Press Enter.
The Key and Certificate Menu displays.
Key and Certificate Menu
Label: ExpditeCert2011
1
2
3
4
5
6
7
8
9
10
11
-
Show certificate information
Show key information
Set key as default
Set certificate trust status
Copy certificate and key to another database
Export certificate to a file
Export certificate and key to a file
Delete certificate and key
Change label
Create a signed certificate and key
Create a certificate renewal request
0 - Exit program
Enter option number (press ENTER to return to previous menu):
===> 4
5. On the Enter option number line, type 4.
6. On the Enter 1 if trusted line, type 1 and press Enter.
The following message displays: Record updated.
7. Press Enter to continue.
You should now have your existing key database containing both the old and the new client certificates
and CA certificates. You should be able to use your existing job to run a session.
Related documents
SCHOOL BOARD RECOGNITION
SCHOOL BOARD RECOGNITION
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
PAFCPIC "We Care Abuloy"
PAFCPIC "We Care Abuloy"
request for recognition of a language certificate as
request for recognition of a language certificate as
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
Download
advertisement