|
|
|
#######################################################################
# #
# This file is used by CA XCOM Data Transport to #
# configure OpenSSL #
# #
# Mandatory means that the parameter must contain a value: #
# #
# # Mandatory #
# [VERIFY_DEPTH] #
# INITIATE_SIDE = 4 #
# RECEIVE_SIDE = 4 #
# #
# is correct, #
# #
# # Mandatory #
# [VERIFY_DEPTH] #
# INITIATE_SIDE = #
# RECEIVE_SIDE = 4 #
# #
# is incorrect, INITIATE_SIDE must not be empty. #
# #
# For optional sections, INITIATE_SIDE etc. may be empty. #
# #
# For CA XCOM, INITIATE_SIDE is used by the local machine. #
# RECEIVE_SIDE is used by the remote partner. #
# #
# Note: The directory and file names used in this sample refer to #
# the directories and files created using the makeca, #
# makeserver and makeclient sample scripts. If the sample #
# scripts have been unloaded to a location other than #
# /usr/spool/xcom/ssl then these names will need to be #
# updated. #
# #
#######################################################################
# Mandatory, note that CA XCOM uses the v3 protocol
[SSL_OPTION]
INITIATE_SIDE = SSL_OP_ALL|SSL_OP_NO_SSLv2
RECEIVE_SIDE = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE
# Mandatory
[VERIFY_DEPTH]
INITIATE_SIDE = 4
RECEIVE_SIDE = 4
# Mandatory, note that CA XCOM uses the v3 protocol
[SSL_METHOD]
INITIATE_SIDE = v3
RECEIVE_SIDE = v3
# Optional
[CIPHER]
INITIATE_SIDE = ALL:!AES:!ADH:!LOW:!EXP:MD5:@STRENGTH
RECEIVE_SIDE = ALL:!AES:!ADH:!LOW:!EXP:!MD5:@STRENGTH
# Optional, specifies the method used for encryption by the 3DES cipher
# on the z/OS platform.
# The OpenSSL implementation used by XCOM provides 3DES encryption
# using a software encryption routine. Due to the complex nature of
# 3DES, the software encryption routine may consume a large amount
# of CPU. Using a compression routine (XCOM COMPRESS= parameter) may
# help limit the CPU by decreasing the amount of data passed through
# the software encryption routine.
# To further reduce the CPU usage required by 3DES, this section allows
# the software encryption routine to be replaced by call to ICSF
# for cryptographic coprocessor support.
# Options:
# CLEAR - stores the symmetric keys in clear text in memory during the
# transfer and use the ICSF CSNBSYE/CSNBSYD encryption
# functions.
# NO (default) - use the OpenSSL software encryption routine
# Notes:
# * Applies to 3DES on the z/OS platform only.
# * CLEAR requires that ICSF be installed and active on the system
# with a cryptographic coprocessor.
[ICSF]
INITIATE_SIDE = NO
RECEIVE_SIDE = NO
# Optional, specifies that the certificates are located in your site's
# security product. The KEYRING and LABLCERT are passed to security to
# identify the keyring that contains the certificates.
# If specified, these values will override the values specified in the
# sections: CA, CA_DIRECTORY, CERTIFICATE and PRIVATEKEY.
# KEYRING and LABLCERT are only used by the z/OS platform.
[KEYRING]
INITIATE_SIDE =
RECEIVE_SIDE =
# Optional, specifies that the certificates are located in your site's
# security product. The KEYRING and LABLCERT are passed to security to
# identify the keyring that contains the certificates.
# If specified, these values will override the values specified in the
# sections: CA, CA_DIRECTORY, CERTIFICATE and PRIVATEKEY.
# KEYRING and LABLCERT are only used by the z/OS platform.
[LABLCERT]
INITIATE_SIDE =
RECEIVE_SIDE =
# Mandatory
[CA]
INITIATE_SIDE = /usr/spool/xcom/ssl/certs/cassl.pem
RECEIVE_SIDE = /usr/spool/xcom/ssl/certs/cassl.pem
# Mandatory
[CA_DIRECTORY]
INITIATE_SIDE = /usr/spool/xcom/ssl/certs
RECEIVE_SIDE = /usr/spool/xcom/ssl/certs
# Mandatory
[CERTIFICATE]
INITIATE_SIDE = /usr/spool/xcom/ssl/certs/clientcert.pem
RECEIVE_SIDE = /usr/spool/xcom/ssl/certs/servercert.pem
# Mandatory
[PRIVATEKEY]
INITIATE_SIDE = /usr/spool/xcom/ssl/private/clientkey.pem
RECEIVE_SIDE = /usr/spool/xcom/ssl/private/serverkey.pem
# Mandatory, YES/NO (if NO, DH will be used)
[RSAKEY]
RECEIVE_SIDE = NO
# Optional (for RSA NO, see above). If RSA NO and DH files empty,
# then internal program tables will be used.
[DH]
DH_512_RECEIVE_SIDE =
DH_1024_RECEIVE_SIDE =
DH_2048_RECEIVE_SIDE =
DH_4096_RECEIVE_SIDE =
# Mandatory if a random daemon is not running on the system.
# Length is set to the file length or to the number of bytes
# to be read from a urandom device. Length can be -1 (read until EOF)
# for a disk file but not for a urandom device, OpenSSL would read
# until EOF which will never be reached for a urandom device.
# If a length of -1 is specified for a file name containing "dev" then an error will occur.
# Optional if a random daemon is running on the system.
[RANDOM]
INITIATE_SIDE_FILE = /usr/spool/xcom/ssl/random.pem
INITIATE_SIDE_LENGTH = 1024
RECEIVE_SIDE_FILE = /usr/spool/xcom/ssl/random.pem
RECEIVE_SIDE_LENGTH = 1024
# Mandatory if local certificates were created with passwords. If local
# certificates were not created with passwords, the value will be ignored.
# PASSWORD has to match the password used when generating the certificates.
[PASSWORD]
INITIATE_SIDE = password
RECEIVE_SIDE = password
# Mandatory, YES/NO
[VERIFY_CERTIFICATE]
INITIATE_SIDE = YES
RECEIVE_SIDE = YES
# Mandatory, YES/NO
[VERIFY_MACHINE]
INITIATE_SIDE = NO
RECEIVE_SIDE = NO
# Optional, matches against the Subject Alternative Name DNS: field in the certificate
# HOST_NAME can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx host name matches the certificate sent by the receive side
# RECEIVE_SIDEx host name matches the certificate sent by the initiate side
[HOST_NAME]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the Serial Number: field in the certificate
# SERIAL_NUMBER can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx serial number matches the certificate sent by the receive side
# RECEIVE_SIDEx serial number matches the certificate sent by the initiate side
[SERIAL_NUMBER]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the name= field in the certificate
# NAME can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx name matches the certificate sent by the receive side
# RECEIVE_SIDEx name matches the certificate sent by the initiate side
[NAME]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the title= field in the certificate
# TITLE can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx title matches the certificate sent by the receive side
# RECEIVE_SIDEx title name matches the certificate sent by the initiate side
[TITLE]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the description= field in the certificate
# DESCRIPTION can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx description matches the certificate sent by the receive side
# RECEIVE_SIDEx description matches the certificate sent by the initiate side
[DESCRIPTION]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the emailAddress= field in the certificate
# EMAIL can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx email matches the certificate sent by the receive side
# RECEIVE_SIDEx email matches the certificate sent by the initiate side
[EMAIL]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the OU= field in the certificate
# ORGANIZATIONAL_UNIT_NAME can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx organizational unit name matches the certificate sent by the receive side
# RECEIVE_SIDEx organizational unit name matches the certificate sent by the initiate side
[ORGANIZATIONAL_UNIT_NAME]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the O= field in the certificate
# ORGANIZATION_NAME can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx organization name matches the certificate sent by the receive side
# RECEIVE_SIDEx organization name matches the certificate sent by the initiate side
[ORGANIZATION_NAME]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the L= field in the certificate
# LOCALITY_NAME can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx locality name matches the certificate sent by the receive side
# RECEIVE_SIDEx locality name matches the certificate sent by the initiate side
[LOCALITY_NAME]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the ST= field in the certificate
# STATE_OR_PROVINCE_NAME can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx state or province name matches the certificate sent by the receive side
# RECEIVE_SIDEx state or province name matches the certificate sent by the initiate side
[STATE_OR_PROVINCE_NAME]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
# Optional, matches against the C= field in the certificate
# COUNTRY_NAME can contain one or more INITIATE_SIDEx and RECEIVE_SIDEx (x=1, 2, 3, etc.)
# INITIATE_SIDEx country name matches the certificate sent by the receive side
# RECEIVE_SIDEx country name matches the certificate sent by the initiate side
[COUNTRY_NAME]
INITIATE_SIDE1 =
RECEIVE_SIDE1 =
| Copyright © 2012 CA. All rights reserved. |
|