RACF changes
1. Add Root certificate - if not already available:
RACDCERT CERTAUTH ADD('your CA dataset name') TRUST -  withlabel(''your CA label' ')
2. Add Server certificate, if not already available:
RACDCERT ID(TN3270) ADD('your datasetname') TRUST -  WITHLABEL('your label') PASSWORD('password')
3. Create RACF keyring:
RACDCERT ID(TN3270) ADDRING('your RACF keyring name')
4. Add certificates to the keyring:
RACDCERT ID(TN3270) CONNECT(CERTAUTH) - LABEL('your CA label')  RING('your RACF keyring name')  -USAGE(CERTAUTH)) 
RACDCERT ID(TN3270) CONNECT(ID(TN3270)  - LABEL('your label') -RING('your RACF keyring name') DEFAULT USAGE(PERSONAL))
5. For testing, a self-signed client certificate has been created:
RACDCERT ID('RACF userid') -    

GENCERT -                              

SUBJECTSDN(CN('Name of User') -           

		O('Name of Organization') -      

		C('US'))                    -      

WITHLABEL('BlueZone Client for Username') - 

SIGNWITH(CERTAUTH LABEL(''your CA label'))

RACDCERT EXPORT(LABEL('BlueZone Client for Name of User')) - 

ID('RACF userid') -          

DSN('your dataset name') -            

PASSWORD('client password') -     

FORMAT(PKCS12DER)
This dataset is then sent using FTP to the user's machine and imported into their personal certificate store.
Related Links
BlueZone express logon feature (Parent Topic)