46 RACF Remote Sharing Facility over TCP/IP
3.4 Creating digital certificates and key rings
Create the digital certificates to identify the RRSF nodes and install them in the key ring
specified in the AT-TLS policy setup. This policy was set up during “Modifying RRSF client to
specify the Keyring” on page 40. This section addresses how to create the digital certificates.
3.4.1 Implementing an RRSF trust policy
When you implement TCP/IP for RRSF node connections, you must implement a trust policy
based on digital certificates. This policy allows TCP/IP communication to take place between
RRSF nodes. RRSF node connections that use TCP/IP are protected by using AT-TLS. This
trust policy is based on the requirements of AT-TLS. It requires that you create a RACF key
ring for each node, and one or more signed server certificates.
Use one of these approaches for defining a trust policy:
Using the same, self-signed certificate for all RRSF nodes
Using an internal certificate authority (CA) to sign a server certificate for each RRSF node
Using an external CA
All these options are addressed with some examples. In addition, a detailed step by step
implementation scenario with option 2 is provided for the example environment.
With each approach, exclusive use of the signing CA certificate is the basis for securely
authenticating the nodes in your RRSF network. A local RRSF node receives a connection
attempt from a remote server that presents a digital certificate signed by a CA certificate
within the local server's key ring. If the name of that key ring is specified in the AT-TLS policy,
the local node accepts it as a valid RRSF node connection. Therefore, you must ensure that
your signing CA certificate is used to sign only RRSF server certificates.
Additional security controls can be applied. Some of these controls are briefly described in
3.4.5, “Using an external CA to sign a server certificate for each RRSF node” on page 66.
These controls are presented in the context of a situation in which you lack exclusive use of
the signing CA certificate.
3.4.2 Digital certificates
Network entities authenticate to each other using the trust policy established by digital
certificates. The identities of trusted entities are represented by these digital certificates. For
an application, the certificate of the application and those of trusted entities for that
application are stored in a container called a key ring.
The TLS standard requires the server to send its certificate to the client for validation. It
optionally requires the client to send its certificate to the server for validation (also called
“client authentication”). This is not the traditional client/server model. Rather, it is a mesh of
peers. Therefore, you must enforce client authentication so that both sides of the conversation
are authenticated to each other.
RRSF runs within the RACF subsystem address space. Each node can initiate a connection
or accept it. So, the RACF subsystem address space identity can act as either the client or