CAICCI Configuration › CAICCI Tasks › Additional Configuration Tasks for CAICCI › Copy CCIRTARM

Copy CCIRTARM

Keep in mind the following items before you copy CCIRTARM.

• When using CCISSL, CCIRTARM comes into play if CCISSL has been configured to request and authenticate client certificates.
• This option is turned off, by default.
• CCIRTARM is the sample Certificate Authority certificate the mainframe server CCISSL uses to authenticate its PC clients that are using the sample key/certificate cci.pem as their End User certificate.
• File cci.pem is copied into directory C:\CA_APPSW during CCIPC/SSL installation.
• If this option is turned on (CLAUTH=Y within the CCISSL proc PARM or the TCPSSL PROTOCOL statement), then CCIRTARM is required to authenticate the cci.pem certificate from the PC client.

  If you are using an HFS key database, CCIRTARM must be imported as a CA certificate within the SSL key database on the mainframe using the gskkyman utility.

  If you are using a z/OS key database, CCIRTARM must be imported as a CA certificate to the z/OS key database using security software such as Top Secret, ACF2, or RACF.

  Note: For more information about importing certificate keys and the gskkyman utility, see the IBM System SSL Programming Guide and Reference (SC24-5877).

When using CCISSLGW, CCIRTARM is used to authenticate certificates from remote hosts when the remote host initiates the connection, functioning as the client side of the SSL session. Although CCISSLGW and its remote hosts are ultimately peer-to-peer connections, the driver of the connection request determines their initial client/server identities for SSL session establishment. Since either the local or remote host can initiate the connection, either side could be the client end of the SSL session. Therefore, CCIRTARM is required to reside on all hosts that will connect over SSL.

• The controlling proc PARM option (RMAUTH=Y) is turned on by default.

If you have configured CCISSL to request and authenticate client certificates or you are running CCISSLGW, perform these steps:

Follow these steps:

1. Copy CCIRTARM from the CAW0OPTN data set using ASCII (text) transfer to an HFS file on your mainframe where CCISSL or CCISSLGW is executing.
2. Store the file on an HFS as ccirt.arm. For example, issue the TSO command OPUT YourdeployHLQ.CAW0OPTN(CCIRTARM) '/etc/ccirt.arm' TEXT.
3. If you are using an HFS key database, use the System SSL utility (gskkyman) to import the certificate authority of the PC ccirt.arm (CCIRTARM) as a CA certificate in the SSL key database for client authentication.

   If you are using a z/OS key database, consult your security software documentation or your security administrator for the import process.