Windows to Mainframe: Common Communications Interface › Configure CAICCI for TCP/IP › SSL Tab

SSL Tab

The SSL tab lets you set the Secured Sockets Layer parameters for CAICCI on Windows.

The PC must connect to a mainframe server that supports SSL (CCISSL) for the protocol to be active. A PC running SSL-enabled CAICCI code that connects to a server that does not support SSL will either revert to the standard unsecured protocol or has its connection request rejected, depending on the selected SSL encryption option below.

This tab contains the following fields to set SSL encryption options:

Force Secure end-to-end connection

Selecting this option informs CAICCI that end-to-end SSL is required for all CCI requests. There must be a secured link in place from the PC to its receiving application’s target host including any intermediate hosts acting as routers to the target host. Since SSL is also required for the PC’s connection to its mainframe server, selecting this option also forces on the option for Force secure connection from PC to Host.

Force secure connection from PC to Host

Selecting this option specifies that an SSL connection is required by the PC to its mainframe server. If the server does not support SSL, the connection request fails.

Defer decision to host

Selecting this option defers the decision of establishing a secured SSL connection to the mainframe server. An SSL connection will be established only if the mainframe server requires it.

Disable secure connection on the PC

Selecting this option disables SSL on the PC. If the mainframe server requires a secured SSL connection, the connection request fails.

Note: The PC application can programmatically specify and override the settings of the SSL Tab.

The SSL Tab contains the following fields to locate certificates. End-user SSL certificates are now supported in PKCS#12 format and both user and CA certificates can be stored and accessed from the Windows Certificate Store.

SSL Path

Specifies the name of the directory path where CAICCI-PC searches for certificates unless overridden by one of the fields described below.

Client Certificate

This field specifies the absolute path and name of a file (if the file name starts with a "drive_letter:\") or the relative path and name of a file (relative to SSL Path) containing the Public Key Infrastructure (PKI) private key and certificate that the PC uses to identify itself to the mainframe server. If Client Certificate has a file type of "*.p12", the certificate is assumed to be in PKCS#12 format. Otherwise the certificate is assumed to be in PEM format.

The Client Certificate field can also reference a certificate within the Windows Certificate Store. This reference cannot be by filename but rather is through an entity within the certificate. The following methods can be used to reference a certificate within the Windows Store:

• Specify a character string that is contained within the certificate's Subject Name, enclosed within double quotes. For example, specify: "substring". Multiple certificates can match on a substring. The first match is used. Specify enough of the certificate’s Subject Name to guarantee the desired certificate is selected. If multiple certificates have the same Subject Name, then do not use this method.
• Specify the entire hex string of the certificate's Thumbprint, enclosed within < >. For example, specify: <xx xx xx xx... xx>. The thumbprint is unique.

PKI Password

This field specifies the password for Client Certificate that allows CAICCI to use the PKI private key. The password is required when Client Certificate specifies a filename. The password for a certificate residing within the Windows Certificate store is required at the time that the certificate is imported into the store.

CA Certificates

This field specifies the absolute path and name of a file (if the file name starts with a "drive_letter:\") or the relative path and name of a file (relative to SSL Path) containing one or more concatenated Certificate Authority certificates that the PC uses to authenticate certificates received from its server.

The CA Certificates field may also reference a CA certificate within the Windows Certificate Store. This reference cannot be through a filename but rather is through an entity within the CA certificate. The following methods can be used to reference a CA certificate within the Windows Store:

• Specify a character string that is contained within the CA certificate's Subject Name, enclosed within double quotes. For example, specify: "substring". Multiple CA certificates can match on a substring. The first match is used. Specify enough of the CA certificate’s Subject Name to guarantee the desired certificate is selected. If multiple CA certificates have the same Subject Name, then do not use this method.
• Specify the entire hex string of the CA certificate's thumbprint, enclosed within < >. For example, specify: <xx xx xx xx... xx>. The thumbprint is unique.

CA Directory

This field specifies the absolute path and name of a directory (if the directory name starts with a "drive_letter:\") or the relative path and name of a directory (relative to SSL Path) containing the Certificate Authority certificate files that the PC uses to authenticate certificates received from its server.

The individual Certificate Authority certificate files are named after their subject name hash value. At startup, SSL first loads certificates from the CA Certificates file. During connection time, if SSL cannot find the required CA certificate, it then checks this directory.

SSL Verify Depth

This field specifies the maximum depth of the certificate verification chain. A value of 1 allows the check of the peer certificate and one Certificate Authority certificate. Higher values allow checks for additional Certificate Authority certificates.