Configuring SSL (TLS) for a zRule Execution Server for z/OS using RACF

You can use a RACF keyring as an SSL keystore.

About this task

You must set the HBRSSLKEYSTORE property to the value SAF to use a SAF keyring such as RACF.

First, create a signing certificate. Then, use this signing certificate to create a server certificate. Finally, export the signing certificate to the client web browser where it is used to authenticate the server certificate.

Procedure

  1. Create a certificate authority (CA) certificate (signing certificate). This example uses RACF commands:
    RACDCERT GENCERT
CERTAUTH
SUBJECTSDN(CN('ODM Sample Certification Authority')
O('IBM')
OU('ODM'))
SIZE(1024)
WITHLABEL('ODM-Sample-Certification')
  2. Create a server certificate that uses the signing certificate from the previous step, where <userid> is the zRule Execution Server for z/OS® started task user ID. The hostname is the host name of the server that the zRES is running on.
    RACDCERT ID(<userid>) GENCERT
SUBJECTSDN(CN('<hostname>')
O('IBM')
OU('ODM'))
SIZE(1024)
SIGNWITH (CERTAUTH LABEL('ODM-Sample-Certification'))
WITHLABEL('<userid>-zRES')
  3. You need a keyring, to which you can add the two certificates. Create a keyring by running the following command, where <userid> is the zRule Execution Server for z/OS started task user ID and <keyring> is the name of the new keyring. 
    RACDCERT ADDRING(<keyring>) ID(<userid>)

    Alternatively, you can locate an existing keyring by running this command:

    RACDCERT LISTRING(*) ID(<userid>)
  4. Run these commands to connect the certificates to the keyring you created or located in the previous step: 
    RACDCERT ID(<userid>) CONNECT(RING(<keyring>)
LABEL('ODM-Sample-Certification')
CERTAUTH)
    RACDCERT ID(<userid>) CONNECT(RING(<keyring>)
LABEL('<userid>-zRES'))
  5. Export the signing certificate to a CER file: 
    RACDCERT CERTAUTH EXPORT(LABEL('ODM-Sample-Certification'))
DSN('<userid>.CERT.ZRESCERT')
FORMAT(CERTDER)
PASSWORD('password')
  6. FTP the exported certificate in binary to your workstation, and import it into your browser. When importing you must manually select the certificate location of "Trusted Root Certification Authorities". Allowing automatic location selection results in the certificate being stored in the wrong location. If using the Chrome browser you must close all browser windows, and kill any remaining tasks, for the change to take effect.
  7. Edit the ++HBRWORKPATH++/servers/sslSAF.xml file and add the following XML. The SAF keyring must be specified in the URL form safkeyring://<userid>/<keyring>. The <userid> value must be set to the zRule Execution Server for z/OS started task user ID and the <keyring> value must be set to the name of the keyring. The password field is not used for accessing the SAF keyring and must be set to password.
    <keyStore filebased="false" id="racfKeyStore"
location="safkeyring://<userid>/<keyring>"
password="password"
readOnly="true"
type="JCERACFKS"/> 
    <ssl id="defaultSSLConfig" keyStoreRef="racfKeyStore"
sslProtocol="SSL_TLS"
serverKeyAlias="<userid>-zRES" />

Results

SSL for a zRule Execution Server for z/OS is successfully configured for a RACF keyring.

The certificates generated in these steps use the SHA-1 hashing algorithm for signing. To achieve a higher level of security, SHA-2 should be used. For instructions on how to achieve this, see https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/le-gencert.htm

Parent topic: Configuring SSL for data encryption