Using Certificates with Your Product

Generating SSL Certificates › Using Certificates with Your Product

Using Certificates with Your Product

Certificates can be stored in one of two places for use by CA XCOM Data Transport for z/OS. They can be placed either in HFS data sets or in the z/OS system's security package. In either case, the certificates are loaded and processed dynamically at the time the secure session is being negotiated with the partner system. This provides flexibility, because certificates can be updated as needed while the CA XCOM Data Transport server remains active. If the certificates are stored in HFS data sets, the CA XCOM Data Transport server or batch job must have sufficient access authority to read these data sets. In this case, there are four relevant parameter sections in the configssl.cnf file which control certificate usage. These sections are:

[CA]
[CA_DIRECTORY]
[CERTIFICATE]
[PRIVATEKEY]

These sections provide the directory and file names that contain the actual certificate and encryption key data.

If the certificates are stored in one or more KEYRINGs that are maintained by the z/OS system's security package, the server or batch job must run with authority to use the appropriate KEYRING to which the certificates have been loaded. In this case, the required KEYRING is referenced in the [KEYRING] section in the configssl.cnf member. If a certificate other than the default is to be used, specify the certificate label in the configssl.cnf section [LABLCERT].

If the INITIATE_SIDE or RECEIVE_SIDE parameters are provided in the [KEYRING] section of a configssl.cnf data set, the four sections pertaining to accessing HFS files are ignored for the type of transfer to which the parameter applies. In other words, the INITIATE_SIDE parameter applies the KEYRING data to locally initiated transfers and the RECEIVE_SIDE parameter applies the KEYRING data to remotely initiated transfers only.

For more information about defining digital certificates to your z/OS security system, see the documentation for your particular security software:

For CA Top Secret, see the CA Top Secret for z/OS Cookbook.
For CA ACF2, see the CA ACF2 for z/OS Cookbook.
For RACF, see IBM's z/OS Security Server RACF Security Administrator's Guide.

No matter where the certificates are stored, the server or batch job must run with the appropriate system and security definitions needed to create a UNIX System Services (USS) environment to run under.