Configure the CICSRequest node to communicate with
CICS®
Transaction Server for z/OS® over the Secure Sockets Layer (SSL) protocol by updating
a CICS Connection policy or the CICSRequest node to use
SSL.
Before you begin
Ensure that you have completed the following tasks:
- The CICSRequest node does not support a separate
truststore, so the keystore file must provide both personal and signer certificates. If
client-authentication (CLIENTAUTH) is enabled in the TCPIPSERVICE in CICS, the IBM® App Connect Enterprise keystore file
must also contain a personal certificate that is trusted by CICS.
- Define the COMMAREA data structure as a message set, as described
in Defining a CICS Transaction Server for z/OS data structure.
- Configure IP InterCommunications (IPIC) protocol on CICS, as described in Preparing the environment for the CICSRequest node.
About this task
To configure the CICSRequest node to use SSL,
complete the following steps:
Procedure
-
For
client-authenticated (CLIENTAUTH) SSL connections, CICS
expects the SSL client certificate to be mapped to a RACF®
user ID. Therefore the SSL client certificate must be mapped to a RACF user ID before attempting to establish the SSL connection to CICS. If the client certificate is not mapped to a RACF user ID, IBM App Connect Enterprise might
display a
ECI_ERR_NO_CICS
response. You can map a client certificate to a RACF user ID by using the RACF command RACDCERT, which stores the client certificate in the RACF database and associates a user ID with it, or by using RACF certificate name filtering. Client certificates can be
mapped one-to-one with a user ID, or a mapping from one to the other can be provided to allow a
many-to-one mapping. You can achieve this mapping by using one of the following methods:
- Associating a client certificate with a RACF user
ID
- Copy the certificate that you want to process into an MVS™
sequential file. The file must have variable length, blocked records (RECFM=VB), and be accessible
from TSO.
- Run the RACDCERT command in TSO by using the following
syntax:
RACDCERT ADD('datasetname') TRUST [ ID(userid) ]
Where:
- datasetname is the name of the data set containing the client
certificate.
- userid is the user ID to be associated with the certificate. This parameter
is optional. If omitted, the certificate is associated with the user issuing the
RACDCERT command.
When you issue the RACDCERT command, RACF creates a profile in the DIGTCERT class. This profile associates the certificate with the
user ID. You can then use the profile to translate a certificate to a user ID without giving a
password. For full details of RACF commands, see z/OS Security Server RACF
Command Language Reference.
- RACF certificate name filtering
With certificate
name filtering, client certificates are not stored in the RACF database. The association between one or more certificates and a RACF user ID is achieved by defining a filter rule that matches the
distinguished name of the certificate owner or issuer (CA). A sample filter rule might look like the
following
example:
RACDCERT ID(DEPT3USR) MAP SDNFILTER
(OU=DEPT1.OU=DEPT2.O=IBM.L=LOC.SP=NY.C=US)
This
sample filter rule would associate user ID DEPT3USR with all certificates when the distinguished
name of the certificate owner contains the organizational unit DEPT1 and DEPT2, the organization IBM, the locality LOC, the state/province NY, and the country
US.
-
Turn on SSL support in the integration server by setting the CICS Server property on the CICS Connection policy.
Alternatively you can configure the CICS server
property directly on the CICSRequest node.
What to do next
When you have configured the integration server or the CICSRequest node to use SSL, develop a message flow that contains
a CICSRequest node by following the steps in Developing a message flow with a CICSRequest node.