You must have authorization to issue the following RACDCERT commands:
ADD, ADDRING, CONNECT,
EXPORT, GENCERT, LIST, and
LISTRING, to create a RACF key ring and
certificates. For more information about the RACDCERT commands and the
authorizations that are required, see RACDCERT (Manage RACF digital
certificates) in the z/OS Security Server RACF Command Language Reference.
You must have access to the keytool command for creating PKCS12 keystores and
certificates for the client. This command is provided with the IBM SDK for z/OS, Java™ Technology Edition. For more information about the
keytool command, see Keytool in the IBM
SDK, Java Technology Edition Security Guide.
You must have write access to the configuration file.
About this task
This task provides instructions for one typical example use case. The steps are similar for other
use cases and the instructions should be adapted for your environment and requirements. For example,
the client may use RACF or an alternative External Security Manager key ring and certificate, or the
client may use a self-signed certificate. This configuration creates the following artifacts:
A certificate authority (CA) signed personal RACF
certificate for z/OS Connect to identify itself on
TLS connections.
A RACF key ring to act as the server's keystore.
A PKCS12 keystore for a client to use as its truststore so that it can trust the certificate
that is presented by the z/OS Connect Server on the
TLS connection.
You can also configure TLS client authentication, sometimes referred to as mutual TLS
authentication, to require the client to provide its personal certificate on the connection. This
configuration creates the following artifacts:
A CA-signed personal certificate for the client to identify itself on the TLS connections.
A PKCS12 keystore to act as the client's keystore.
A RACF key ring for z/OS Connect to use as its truststore so that it can trust
the certificate that is presented by the client.
The certificates, key rings, and PKCS12 keystore files that are used in this task are described
in Figure 1.
Figure 1. How certificates, key rings, and PKCS12 keystore files are used in this task
This task makes the following assumptions:
RACF is the security manager for z/OS Connect. If you are using an alternative External
Security Manager, refer to the appropriate product documentation for the equivalent commands.
The client, which might be an intermediate server such as an API Gateway, can use PKCS12
keystore files for its keystore and truststore. This task uses a PKCS12 keystore for the client, but
other keystore types or SAF key rings might be used depending on the client and the operating system
that it runs on.
The keytool command is used to create the certificates and PKCS12 keystore
files for the client. z/OS Connect uses a single RACF key ring for both its keystore and truststore. An
alternative method is to use a separate RACF key ring for
each role.
The client uses separate PKCS12 keystore files for its keystore and truststore.
The default z/OS Connect SSL elements in the
configuration file are customized. This method is typical for configuring TLS on the HTTPS port that
is used by z/OS Connect. If you are configuring TLS
for an additional HTTPS port, follow these instructions, but replace the default id
attribute values of the ssl and keyStore elements with customized
values. You would also need to associate the customized ssl element with the
appropriate httpEndpoint element by configuring the sslOptions
subelement. For
example,
In this example, mySSLConfig is the id attribute value
of the ssl element.
Note: The term label is used by RACF and
alias is used by PKCS12 keystore to reference the same artifact, therefore in this
documentation, the phrase label, or alias is used for clarity.
Procedure
In the following steps, you configure the TLS connection between the z/OS Connect Server (steps 1 - 5) and the client (steps 6
- 9). Finally, you configure the z/OS Connect Server
to use the RACF key ring (steps 10 - 13).
Enter the RACF commands from the z/OS LPAR where z/OS Connect is
hosted.
Create a RACF key ring for the z/OS Connect Server to use as its keystore.
Enter the following
command:
RACDCERT ID(ZCSERV1) ADDRING(Keyring.ZOSCONN)
The
command uses the following values:
ZCSERV1 is the user ID that owns the key ring. The user ID under which the z/OS Connect Server runs must have READ access to this
key ring. Either specify the server's user ID on the ID property or ensure that the server's user ID
has READ access to the key ring owned by an alternative user ID.
Keyring.ZOSCONN is the name of the key ring to be created.
Create a CA certificate for z/OS Connect Server.
If a suitable CA certificate exists, skip this step.
Create a self-signed RSA key pair to act as a CA certificate. A key pair
consists of a public and private key.
CN('myServer.host.com') O('IBM') OU('zosConnect') C('US') is an example
distinguished name (DN) for the certificate. The common name (CN) value is typically the hostname of
the z/OS LPAR that hosts z/OS Connect.
zosConnectCA is the label or alias for the CA certificate that is used to sign
the personal certificate.
zosConnectServerCert is the label, or alias, for the personal certificate to be
created and signed.
Connect (add) the personal certificate to the key ring.
zosConnectCA is the label or alias for the CA certificate.
'ZCSERV1.CERTS.ZCCA' is the name of the target z/OS sequential file.
CERTDER specifies a DER encoded X.509 certificate.
In the following steps, you create a truststore for the client containing the z/OS Connect Server's CA certificate as a trusted
certificate.
Prepare to use the keytool command.
Create a directory to contain the certificates and PKCS12 keystore files to be created
by the keytool command.
In a later step, you copy those files to other locations, so if
you run the keytool command on z/OS, make
the location a z/OS
UNIX System Services (USS) directory.
For
example, /u/myuser/zOSConnectCerts.
Add the keytool command to the PATH environment
variable.
For example,
export PATH=$PATH:<javaInstallPath>/bin
The
value <javaInstallPath> is the installation path of the IBM SDK for z/OS that includes the
keytool command.
Import the CA certificate used to sign z/OS Connect
personal certificate into the client's PKCS12 truststore as a trusted certificate.
Transfer in binary format, the z/OS sequential
file 'ZCSERV1.CERTS.ZCCA' containing the exported CA certificate to the
client's workstation.
The method that you use depends on the operating system on which
the client is running and the file transfer utilities you have access to. You might be able to FTP
to the z/OS LPAR and get the z/OS sequential file directly, or you might first need to copy the z/OS sequential file to a USS file, and then get the USS file.
zosConnectCA is the alias to be given to the CA certificate to be
imported.
zosConnectCA.cer is the name of the certificate file that contains the public
key of the CA certificate to be imported.
clientTrust.p12 is the name of the PKCS12 keystore file into which the
certificate is to be imported. This file is used as the client's truststore.
The command creates the PKCS12 keystore file if it does not exist and issues the following
prompt:
Trust this certificate? [no]:
Enter yes in response.
Check that the CA certificate was added to the client's truststore correctly.
List the contents of the client's truststore by issuing the following command from the USS
directory that you created in step 6.
keytool -list -v -keystore clientTrust.p12
The
expected response contains the following information:
Your keystore contains 1 entry
Alias name: zosconnectca
Entry type: trustedCertEntry
Owner: CN=CA for zosConnect, OU=zosConnect, O=IBM, C=US
Issuer: CN=CA for zosConnect, OU=zosConnect, O=IBM, C=US
Make the client's truststore PKCS12 keystore file available to the client.
In this task, the client's truststore is called clientTrust.p12. Transfer
this file in binary mode to the workstation that hosts the client. The instructions for configuring
your client to use these PKCS12 keystore files depend on your client application. For more
information, see the documentation for the client application.
In the following steps, you configure z/OS Connect to use the RACF key ring.
Configure the HTTPS port for z/OS Connect.
Identify an unused TCP/IP port on your z/OS LPAR,
which can be used as the HTTPS port for z/OS Connect.
Specify the port value on the httpsPort attribute of the
httpEndpoint element in the configuration file.
For example, to use 9443 as the
default HTTPS port, add the following element to the
configuration:
defaultKeyStore must match the value that is specified on the
keyStoreRef attribute of the ssl element.
The location value must be the RACF key
ring that acts as the server's keystore.
The password attribute is mandatory, so a value must be specified. However, the
value is not used when type="JCERACFKS" because RACF key rings are not secured with passwords.
You must have access to the keytool command for creating PKCS12 keystores and certificates for
the client. This command is provided with the IBM SDK for z/OS, Java Technology Edition. For more information about the keytool command, see keytool - Key and Certificate Management Tool in the IBM
SDK, Java Technology Edition documentation.
About this task
This optional task describes additional configuration for TLS client authentication, also called
mutual TLS authentication, to require the client to provide its personal certificate on the
connection. It does not include the additional configuration that is required to use the client's
personal certificate to authenticate with IBM z/OS Connect, but is a prerequisite to that task. For more information about configuring a client certificate
to authenticate with z/OS Connect, see How to configure client certificate authentication with RACF for z/OS Connect zosConnect-3.0.
This task provides instructions for one typical example use case. The steps are similar for other
use cases and the instructions should be adapted for your environment and requirements. For example,
the client may use RACF or an alternative External Security Manager key ring and certificate, or the
client may use a self-signed certificate.
This task assumes the client is creating a certificate signing request to send to a Certificate
Authority to generate a CA signed certificate for the client to store in a p12 keystore.
Procedure
In the following steps, you configure TLS client authentication for the
client.
clientCert is the alias of the personal certificate to be created.
CN=myClient.host.com, O=IBM, C=US is an example distinguished name (DN) for the
certificate. The CN value is typically the hostname of the client that owns the certificate.
clientKey.p12 is the name of the PKCS12 file to be dynamically created to act
as the client's keystore.
This command creates the PKCS12 file if it does not exist.
Sign the client's personal certificate with a CA certificate.
A certificate signing
request (CSR) is created for the self-signed personal certificate and sent to a certificate
authority (CA). The CA verifies the request and returns a CA signed version of the personal
certificate, a CA root certificate and optionally, an intermediate certificate.
Create a certificate signing request (CSR) for the personal certificate.
clientCert is the alias to be given to the signed personal certificate to be
imported. It must match the name of the original self-signed personal certificate so that one is
replaced in the keystore.
clientCertSigned.cer is the name of the certificate file that the certificate
authority returns, and contains the signed personal certificate to be imported.
clientKey.p12 is the name of the PKCS12 file into which the certificate is to
be imported. This is the client's keystore.
Confirm that the client's keystore and personal certificate are created correctly.
The
response should contain entries for the signed personal certificate with an Entry
type of PrivateKeyEntry and for the CA root certificate (and if
applicable, the intermediate certificate), an entry with Entry type of
trustedCertEntry.
Export the clients CA certificate (public key) to a certificate file.
clientCA is the alias of the CA certificate to be exported.
clientCA.cer is the name of the certificate file to be created.
clientKey.p12 is the name of the P12 file from which the certificate is to be
exported.
Make the clients keystore PKCS12 file available to the client.
The client's keystore that is created in this task is called clientKey.p12.
Transfer this file in binary mode to the workstation that hosts the client. The instructions for
configuring your client to use these PKCS12 files depend on your client application. For more
information, see the documentation for the client application.
In the following steps, you configure TLS client authentication for z/OS Connect.
Connect the clients CA certificate (public key) to the z/OS Connect Servers
RACF key ring truststore as a trusted certificate.
Transfer the exported clients CA certificate in binary format to the z/OS LPAR where z/OS Connect is hosted, as a z/OS sequential file.
Name the created z/OS sequential file as 'ZCSERV1.CERTS.CLIENT'.
The
transfer method that you use depends on the operating system on which you ran the
keytool command. You might be able to FTP to the z/OS LPAR and put the z/OS sequential file directly. Or
you may first need to FTP the file to a USS directory and then copy that USS file to be a z/OS sequential file.
Confirm that the clients CA certificate is connected to the z/OS Connect Server's key ring correctly.
Enter the following command to list the certificates in the key
ring:
RACDCERT ID(ZCSERV1) LISTRING(Keyring.ZOSCONN)
This
screen capture shows the expected response:
Ring:
>Keyring.ZOSCONN<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
zosConnectCA CERTAUTH CERTAUTH NO
zosConnectServerCert ID(ZCSERV1) PERSONAL NO
clientCA ID(ZCSERV1) CERTAUTH NO
Edit the SSL configuration to be used by z/OS Connect.
Edit the existing ssl repertoire element in the configuration file
to add a trustStoreRef attribute with the default value. Set client
authentication as required by setting clientAuthentication="true".
defaultTrustStore must match the value that is specified on the
trustStoreRef attribute of the ssl element.
The location value must be the RACF key
ring that acts as the server's truststore.
The password attribute is mandatory, so a value must be specified. However, the
value is not used when type="JCERACFKS" because RACF key rings are not secured with passwords.
Start, or restart the server if it was already running, to pick up the changes.
The messages.log file should contain the following
message:
CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host * (IPv6) port 9443
The message uses the following values:
defaultHttpEndpoint-ssl is the id attribute value of the
httpEndpoint element followed by -ssl.
* is the value of the httpEndpoint element host
attribute.
9443 is the value of the httpEndpoint element httpsPort
attribute.
RACDCERT (Manage RACF digital
certificates) in the z/OS Security Server RACF Command Language Reference.