RACF changes
•  Add Root certificate - if not already available:
RACDCERT CERTAUTH ADD('your CA dataset name') TRUST -  withlabel('your CA label ')
•  Add Server certificate, if not already available:
RACDCERT ID(TN3270) ADD('your datasetname') TRUST -  WITHLABEL('your label') PASSWORD('password')
•  Create RACF keyring:
RACDCERT ID(TN3270) ADDRING('your RACF keyring name')
•  Add certificates to the keyring:
RACDCERT ID(TN3270) CONNECT(CERTAUTH) - LABEL('your CA label')  RING('your RACF keyring name')  -USAGE(CERTAUTH))

RACDCERT ID(TN3270) CONNECT(ID(TN3270)  - LABEL('your label') -RING('your RACF keyring name') DEFAULT USAGE(PERSONAL))
•  For testing, a self-signed client certificate was created:
RACDCERT ID('RACF userid') -    

GENCERT -                              

SUBJECTSDN(CN('Name of User') -           

			O('Name of Organization') -      

			C('US'))                    -      

WITHLABEL('BlueZone Client for Username') - 

SIGNWITH(CERTAUTH LABEL(''your CA label'))

RACDCERT EXPORT(LABEL('BlueZone Client for Name of User')) - 

ID('RACF userid') -          

DSN('your dataset name') -            

PASSWORD('client password') -     

FORMAT(PKCS12DER)
Using FTP, this data set is sent to the user's machine and imported into their personal certificate store.
Related Links
Express logon feature (Parent Topic)