Expedite Base/MVS - PKI Services

wheatauditorΛογισμικό & κατασκευή λογ/κού

30 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

102 εμφανίσεις

Exporting certificates


How to export a
certificate
using Internet Explorer
7 for use with:



Expedite Base/
MVS

4.
6.1


We want the new client certificate, the new root CA and the old root CA to co
-
exist in
the key database until July 9, then the new root CA
will be the only one used.


1


In Internet Explorer pull down
Tools
,

select
Internet
O
ptions
, click tab
Content
:


2
-

Highlight

the certificate you wish to export and click "
E
xport..."

(the issued to
should say “PKI Service Root CA2”



3
-

Click

"Next
>"



4
-

Check "Yes, export the private key"
and c
lick "Next >"



5
-

Check "Personal Information Exchange
-

PKCS #12 (.PFX)"



Make sure that "Include all certificates in the certification path if possible" is
selected



Make sure "Enable strong protecti
on (requires IE 5.0, NT 5.0
SP4
or above)"
is selected



Make sure
"Delete the private key if the export is successful"
is
NOT

selected.



Click "Next >"




6
-

Choose a password for the file
and c
lick "Next >"



NOTES:

1.

Make a note of this password
; it ca
n
NOT

be retrieved from the certificate.

Internet Explorer will allow you to export a certificate without
protect
ing
it
with
a password. Do
NOT

do this;


7


Click browse:



Go to the directory where you want to save the certificate, s
pecify a name for

the
certificate
and c
lick "
Save
"
, which will bring you back to the previous screen, then
click “Next >”



NOTES:

1.

Make sure you remember where you saved the certificate.

2.

Give the certificate a useful name that distinguishes it ( the word “certificate”
mi
ght be a bit vague)



8
-

Click "Finish"



9
-

Click "OK"





There’s an Expedite Base/MVS
4.6
manual which can be downloaded here:
https://www.gxsolc.com/public/EDI/us/support/Library/Publications/ExpBaseMvsPro
gGuude45_c3422045.pdf




On pages 185
-
188 (.pdf pages 201
-
204) it show
s how to export the certificate.
It’s important to export it like is shown there.

o

Make sure "Yes, export the private key" is selected in step 4.

o

Also ensure that both "Include all certificates in the certification path if
possible" and "Enable strong prote
ction (requires IE 5.0, NT 4.0 SP4
or above)" are ticked in step 5



On page 188 (.pdf page 204) in step 8 it’s important to
:

o

Set the
record length

of the z/OS mounted HFS file to
2500
.

o

FTP the .pfx file as
BINARY

(
see also next page
).



If you prefer to use a

KEYRINGSTASHFILE instead of a
KEYRINGPASSWORD you can use option 10 on screen Key Management
Menu, Database: /u/user1/ ExpKeyDB.kdb on page 190 (.pdf page 206) which
says
10


Store database password
. That creates the KEYRINGSTASHFILE.

FTP’ing the .pfx a
s BINARY
from the PC
to the MVS
is done like this:

FTP
xxx.xxx.xxx.xxx




(amend as appropriate)

Sign on with your
account/userid

(amend as appropriate)

cd ..

cd
/u/sharisc/





(amend as appropriate)

binary

put
certificate
.pfx




(amend as appropriate)

qu
it



NOTE:
Do not put the binary parameter on the put command as it will result in the
following error later when you attempt to create the keyringdatabase file:

Unable to import certificate and key.

Status 0x03353020
-

Unrecognized file or message encodin
g.


From
http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.g
ska100/sssl2msg1001010.htm
:


03353020 Un
recognized file or message encoding.

Explanation:

A file or message cannot be imported because the format is not recognized.

System SSL supports X.509 DER
-
encoded certificates, PKCS #7 signed data
messages, and PKCS #12 personal information exchange messag
es for certificate
import files. The import file data may be the binary data or the Base64
-
encoding of
the binary data.

System SSL supports PKCS #7 data, encrypted data, signed data, and enveloped data
for messages. This error can also occur if the message

is not constructed properly.


User response:

Ensure that the import file or message has not been modified. A Base64
-
encoded
import file must be converted to the local code page when it is moved to another
system while a binary import file must not be modi
fied when it is moved to another
system.


Storing the certificate in an existing key database

The first step is to log on to USS. You will use the IBM
-
supplied program gskkyman to manage

your keys and certificates. A sample session is shown below.


Openin
g a key database

1.

From USS, invoke the gskkyman utility by typing
gskkyman
.


The Database Menu displays.



























2.

On the
Enter option number
line, type
2.


3.

Enter the key database name of your existing key database. This field is case sensi
tive,

so make sure to type the name correctly. For example, you might type
ExpKeyDB.kdb
.


4.

Type the database password.


The key database is opened.



Continue with the steps in the next section.



Database Menu





1
-

Create new database


2
-

Open database


3
-

Change database password


4
-

Change databa
se record length


5
-

Delete database


6
-

Create key parameter file


7
-

Display certificate file (Binary or Base64 ASN.1 DER)





11
-

Create new token


12
-

Delete token


13
-

Manage token


14
-

Manage token from list of tokens





0
-

Exit program



Enter option number:
2



Enter key database name (press ENTER to return to menu):
Exp
KeyDB.kdb

Enter database password (press ENTER to return to menu):




Importing your certificate


Once you have opened the key
database, you are ready to import your new certificate into it. You will

need the name and location of the pfx file that you sent by FTP to your z/OS machine.


When you press Enter in Step 4 of the previous procedure, the Key Management Menu displays.





























1.
Type
8
to Import a certificate and a private key and press Enter.


2.
Type the import file name. This is the name you used when you sent the file by FTP to your

z/OS system.


3.
Type the import file password.


4.
Type the certi
ficate label, such as ExpditeCert2011, and then press Enter.


The following message displays:
Certificate and key importe
d
. Press Enter and continue with the

instructions in the next section.












Key Management Menu





Database: /u/
user
/
Exp
KeyDB.kdb


Expiration: None




1
-

Manage keys and certificates



2
-

Manage certificates


3
-

Manage certificate requests


4
-

Create new certificate request



5
-

Receive requested certificate or a
renewal certificate


6
-

Create a self
-
signed certificate


7
-

Import a certificate


8
-

Import a certificate and a private key


9
-

Show the default key



10
-

Store database password


11
-

Show database record length




0
-

Exit program




Enter option number (press ENTER to return to previous menu): 8

Enter import file name (press ENTER to return to menu):NewKey.pfx

Enter import file password ((press ENTER to return to menu):

Enter label (press ENTER to return to m
enu): ExpditeCert2011




Setting the default certificate


You must set the ce
rtificate that you just imported as the default certificate.




























1.
On the Key Management Menu, type
1
and press Enter.


The Key and Certificate List screen displays.
















Key and Certificate List




Database: /u/u
ser
/
Exp
KeyDB.kdb




1
-

ExpditeCert



2


ExpditeCert2011





0
-

Return to selection menu



Enter label number (ENTER to return to selection
menu, p for previous list):



Key Management Menu




Database: /u/user/ExpKeyDB.kdb


Expiration: None





1
-

Manage keys and certificates


2
-

Manage certificates


3
-

Manage certificate requests



4
-

Create new certificate request


5
-

Receive requested certificate or a renewal certificate


6
-

Create a self
-
signed certificate


7
-

Import a certificate



8
-

Import a certificate and a private key


9
-

Show the default key


10
-

Store database password


11
-

Show database record length





0
-

Exit program




Enter option number (press ENTER to retur
n to previous menu):


===> 1




2.
Type the number next to the certificate
label you just imported

and press Enter. I am selecting option
2 as this was my new certificate.



The Key and Certificate Menu displays.



























3.
Type
3
and press Enter.


The following message displays:
Default key set
.


Key and Certificate Menu




Label: ExpditeCert2011






1
-

Show certificate information


2
-

Show key information


3
-

Set key as default


4
-

Set certificate trust stat
us


5
-

Copy certificate and key to another database


6
-

Export certificate to a file


7
-

Export certificate and key to a file


8
-

Delete certificate and key



9
-

Change label


10
-

Create a signed certificate and key


11
-

Create a certificate renewal request





0
-

Exit program



Enter option number (press ENTER to return to previous menu):


===> 3




4.
Press Ent
er.


The Key and Certificate Menu displays.



























5.
On the
Enter option number
line, type
4
.


6.
On the
Enter 1 if trusted
line, type
1
and press Enter.


The following message displays:
Record updated
.


7.
Press Enter to continue.


Yo
u should now have your existing key database containing both the old and the new client certificates
and CA certificates. You should be able to use your existing job to run a session.




Key and Certificate Menu




Label: ExpditeCert2011






1
-

Show certificate information


2
-

Show key information


3
-

Set key as default


4
-

Set certificate trust

status


5
-

Copy certificate and key to another database


6
-

Export certificate to a file


7
-

Export certificate and key to a file


8
-

Delete certificate an
d key


9
-

Change label


10
-

Create a signed certificate and key


11
-

Create a certificate renewal request





0
-

Exit program



Enter option number (press ENTER to return to previous menu):


===> 4