Configuring the CA XCOM Data Transport Client

Generating SSL Certificates › Configuring the CA XCOM Data Transport Client

Configuring the CA XCOM Data Transport Client

To configure the CA XCOM Data Transport client to use the CA certificate and the server certificate when establishing client (local) SSL connections

Review and modify the settings of the CA XCOM Data Transport SSL configuration file, configssl.cnf, as appropriate for your system. Client connections use the INITIATE_SIDE values. Also, ensure that the XCOM_HOME environment variable is ser correctly to the XCOM installed location since it is used within this file.
Point the XCOM_CONFIG_SSL parameter in your default options table/global file to your customized configssl.cnf file.
Note: For z/OS, the path and file name must be an HFS file.
1. For z/OS, the XCOM_CONFIG_SSL parameter can also be specified as a destination member parameter.
2. For UNIX and Windows, the XCOM_CONFIG_SSL parameter can also be specified in your configuration (cnf or xml) file.
Set the SECURE_SOCKET parameter to YES to indicate an SSL connection.
1. For z/OS, specify the SECURE_SOCKET parameter in the SYSIN01, the destination member, or the default options table.
2. For UNIX and Windows, specify the SECURE_SOCKET parameter in the configuration (cnf) file.
Specify the port through which the remote CA XCOM Data Transport partner accepts SSL connections. Use one of the following parameters:
1. PORT for UNIX and Windows
2. IPPORT for z/OS
Initiate the transfer request.

Default Sample Scripts

By default, the CA XCOM Data Transport setup deploys sample scripts to create RSA certificates in your $XCOM_HOME\ssl directory. The type of certificate depends on the cipher suite used in your SSL communication. You can control this setting by using the $XCOM_HOME\config\configssl.cnf file.

Your security administrator needs to set the appropriate cipher suite for SSL communication.

Cipher Suites

When a TLS or SSL connection is established, the client and server negotiate a cipher suite, exchanging cipher suite codes in the client hello and server hello messages. The cipher suite specifies a combination of cryptographic algorithms to be used for the connection.

By default, a strong cipher suite is set in configssl.cnf as follows:

[SSL_METHOD]
INITIATE_SIDE = v3
RECEIVE_SIDE  = v3
# Optional
[CIPHER]
INITIATE_SIDE = ALL:!ADH:!LOW:!EXP:MD5:@STRENGTH
RECEIVE_SIDE  = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

This cipher suite uses the v3 protocol. By default, the following are excluded from the negotiation:

Anonymous DH cipher suites
Low encryption cipher suites (currently those using 64-bit or 56-bit encryption algorithms)
Cipher suites using MD5

Ciphers are sorted according to their strength.

Supported Cryptographic Protocols

CA XCOM Data Transport supports the following protocols:

TLSV1
V3

In configssl.cnf, you can set the protocol used in SSL communications in one of the following ways:

For V3

# Mandatory, note that CA-XCOM uses the v3 protocol
[SSL_METHOD]
INITIATE_SIDE = v3
RECEIVE_SIDE  = v3

For TLSV1

# Mandatory, note that CA-XCOM uses the v3 protocol
[SSL_METHOD]
INITIATE_SIDE = tlsv1
RECEIVE_SIDE  = tlsv1

Note: The V3 method is applicable only if FIPS_MODE=OFF.

Supported Cipher Suites

This section lists the cipher suites that CA XCOM Data Transport supports when using the TLSV1 or V3 protocols and when the global parameter FIPS_MODE is set to YES or NO.

In the configssl.cnf file, you can set the Cipher Suite name as follows:

# Optional
[CIPHER]
INITIATE_SIDE = <Cipher-Suite-Name>
RECEIVE_SIDE = ALL

Cipher Suites Supported in TLSV1 when FIPS_MODE=YES

The following cipher suites are supported in TLSV1 when FIPS_MODE=YES:

Cipher Suite Name	Key Exchange Algorithm	Authentication Algorithm	Encryption Algorithm	Message Digest Algorithm
DHE-RSA-AES256-SHA	DH	RSA	AES(256)	SHA1
DHE-DSS-AES256-SHA	DH	DSS	AES(256)	SHA1
AES256-SHA	RSA	RSA	AES(256)	SHA1
EDH-RSA-DES-CBC3-SHA	DH	RSA	3DES(168)	SHA1
EDH-DSS-DES-CBC3-SHA	DH	DSS	3DES(168)	SHA1
DES-CBC3-SHA	RSA	RSA	3DES(168)	SHA1
DHE-RSA-AES128-SHA	DH	RSA	AES(128)	SHA1
DHE-DSS-AES128-SHA	DH	DSS	AES(128)	SHA1
AES128-SHA	RSA	RSA	AES(128)	SHA1

Cipher Suites Supported in TLSV1 when FIPS_MODE=NO

The following cipher suites are supported in TLSV1 when FIPS_MODE=NO:

Cipher Suite Name	Key Exchange Algorithm	Authentication Algorithm	Encryption Algorithm	Message Digest Algorithm
DHE-RSA-AES256-SHA	DH	RSA	AES(256)	SHA1
DHE-DSS-AES256-SHA	DH	DSS	AES(256)	SHA1
AES256-SHA	RSA	RSA	AES(256)	SHA1
EDH-RSA-DES-CBC3-SHA	DH	RSA	3DES(168)	SHA1
EDH-DSS-DES-CBC3-SHA	DH	DSS	3DES(168)	SHA1
DES-CBC3-SHA	RSA	RSA	3DES(168)	SHA1
DHE-RSA-AES128-SHA	DH	RSA	AES(128)	SHA1
DHE-DSS-AES128-SHA	DH	DSS	AES(128)	SHA1
AES128-SHA	RSA	RSA	AES(128)	SHA1
RC4-SHA	RSA	RSA	RC4(128)	SHA1
RC4-MD5	RSA	RSA	RC4(128)	MD5
EDH-RSA-DES-CBC-SHA	RSA	RSA	DES(56)	SHA1
EDH-DSS-DES-CBC-SHA	DH	DSS	DES(56)	SHA1
DES-CBC-SHA	RSA	RSA	DES(56)	SHA1
EXP-EDH-RSA-DES-CBC-SHA	DH(512)	RSA	DES(40)	SHA1
EXP-EDH-DSS-DES-CBC-SHA	DH(512)	DSS	DES(40)	SHA1
EXP-DES-CBC-SHA	RSA(512)	RSA	DES(40)	SHA1
EXP-RC2-CBC-MD5	RSA(512)	RSA	RC2(40)	MD5
EXP-RC4-MD5	RSA(512)	RSA	RC4(40)	MD5

Cipher Suites Supported in v3

SSLv3 can be used only with FIPS_MODE=NO. It uses the same cipher suites as TLSv1 with FIPS_MODE=NO.