Register a SAF-based PKI Transfer CFT z/OS (RACF)

This section describes how to register a Transfer CFT z/OS that has implemented RACF (Resource Access Control Facility). To use this Transfer CFT in flows between z/OS and non z/OS Transfer CFTs, see Configure Transfer CFT SAF-based PKI.

You can manage the Transfer CFT z/OS certificates in the SAF based PKI (RACF), even though Central Governance governs the Transfer CFT. However, the use of RACF is limited to business certificates only; you manage the governance certificates in the Transfer CFT PKI database.

Supported versions

Central Governance 1.1.3 SP6 and higher supports registering a Transfer CFT z/OS that has RACF enabled.

Central Governance supports RACF for Transfer CFT z/OS on version 3.1.3 SP12 and higher.


On the Transfer CFT to register, you must:

  • Install Transfer CFT as described in the Transfer CFT 3.x.x Installation and Operations Guide z/OS selecting the options to enable Central Governance.
  • Set CFTUTIL uconfset id=pki.type, value=system in the RACF Transfer CFT. (Once set, you cannot modify this value. That is, this Transfer CFT cannot be set to pki.type=cft at a later date.)

Registration procedure

Starting Copilot for the first time after installation triggers registration.

Post registration

After completing the registration, for SSL protocols the certificate details and the CA certificate alias fields do not display any values in the Central Governance UI. You must manually upload the certificate before you can use Central Governance to manage this Transfer CFT. See Configure Transfer CFT SAF-based PKI for details.


Central Governance | Document Directory

Related Links