Securing the connection to CICS Transaction Server for z/OS by using SSL

Configure the CICSRequest node to communicate with CICS® Transaction Server for z/OS® over the Secure Sockets Layer (SSL) protocol by updating a CICS Connection policy or the CICSRequest node to use SSL.

Before you begin

Ensure that you have completed the following tasks:
  1. The CICSRequest node does not support a separate truststore, so the keystore file must provide both personal and signer certificates. If client-authentication (CLIENTAUTH) is enabled in the TCPIPSERVICE in CICS, the IBM® App Connect Enterprise keystore file must also contain a personal certificate that is trusted by CICS.
  2. Define the COMMAREA data structure as a message set, as described in Defining a CICS Transaction Server for z/OS data structure.
  3. Configure IP InterCommunications (IPIC) protocol on CICS, as described in Preparing the environment for the CICSRequest node.

About this task

To configure the CICSRequest node to use SSL, complete the following steps:

Procedure

  1. For client-authenticated (CLIENTAUTH) SSL connections, CICS expects the SSL client certificate to be mapped to a RACF® user ID. Therefore the SSL client certificate must be mapped to a RACF user ID before attempting to establish the SSL connection to CICS. If the client certificate is not mapped to a RACF user ID, IBM App Connect Enterprise might display a ECI_ERR_NO_CICS response. You can map a client certificate to a RACF user ID by using the RACF command RACDCERT, which stores the client certificate in the RACF database and associates a user ID with it, or by using RACF certificate name filtering. Client certificates can be mapped one-to-one with a user ID, or a mapping from one to the other can be provided to allow a many-to-one mapping. You can achieve this mapping by using one of the following methods:
    • Associating a client certificate with a RACF user ID
      1. Copy the certificate that you want to process into an MVS™ sequential file. The file must have variable length, blocked records (RECFM=VB), and be accessible from TSO.
      2. Run the RACDCERT command in TSO by using the following syntax:
        RACDCERT ADD('datasetname') TRUST [ ID(userid) ]

        Where:

        • datasetname is the name of the data set containing the client certificate.
        • userid is the user ID to be associated with the certificate. This parameter is optional. If omitted, the certificate is associated with the user issuing the RACDCERT command.

        When you issue the RACDCERT command, RACF creates a profile in the DIGTCERT class. This profile associates the certificate with the user ID. You can then use the profile to translate a certificate to a user ID without giving a password. For full details of RACF commands, see z/OS Security Server RACF Command Language Reference.

    • RACF certificate name filtering
      With certificate name filtering, client certificates are not stored in the RACF database. The association between one or more certificates and a RACF user ID is achieved by defining a filter rule that matches the distinguished name of the certificate owner or issuer (CA). A sample filter rule might look like the following example:
      RACDCERT ID(DEPT3USR) MAP SDNFILTER
      (OU=DEPT1.OU=DEPT2.O=IBM.L=LOC.SP=NY.C=US)
      This sample filter rule would associate user ID DEPT3USR with all certificates when the distinguished name of the certificate owner contains the organizational unit DEPT1 and DEPT2, the organization IBM, the locality LOC, the state/province NY, and the country US.
  2. Turn on SSL support in the integration server by setting the CICS Server property on the CICS Connection policy.
    Alternatively you can configure the CICS server property directly on the CICSRequest node.

What to do next

When you have configured the integration server or the CICSRequest node to use SSL, develop a message flow that contains a CICSRequest node by following the steps in Developing a message flow with a CICSRequest node.