Creating certificates to encrypt the connection between Db2 for z/OS and Db2 Data Gate
To continue setting up AT-TLS, you need a signer certificate and a server certificate. Use the signer certificate to sign the server certificate. The signer certificate can be a certificate from an external certificate authority (CA), an internal CA, or a self-signed certificate.
About this task
SSL connections require a certificate that identifies the server and that can be used to encrypt the network connections to this server.
In the z/OS operating system, such certificates are managed by RACF®, and are stored in a RACF object called a key ring. You must specify this key ring in your TCPCONFIG data set, so that it can be used by the AT-TLS component.
The certificate that you use can be a certificate issued by an external or an internal certificate authority (CA). Certificates issued by known external CAs have the advantage that they can be validated correctly by connecting clients without completing any prerequisite steps, provided that the CA is known to the client application. Since clients often use predefined libraries that are distributed freely, this is, in many cases, not a problem.
Libraries of internal CAs can usually be linked by client applications within an organization. This also allows you to tap resources of an established infrastructure.
However, if you do not have access to certificates of an external or internal CA, you can create a self-signed certificate. Such certificates require an import on the client side (Db2 Data Gate on IBM Cloud Pak® for Data) because the client application needs to "know" whether the certificate and the server identity behind it can be trusted.
You do not have to create an extra certificate for inbound access because a copy of the certificate for outbound network traffic will be used. Following the process in Generating and exporting a key pair and a certificate for Db2 Data Gate guarantees that the certificates for inbound and outbound network traffic bear the same digital signature because you create only one certificate, export it, and then import a copy of that certificate. Identical signatures on both certificates are mandatory.
The steps in the following topics provide you with all the information needed to create a self-signed certificate and to set up a working AT-TLS connection using this certificate.
If you already have a certificate that you can reuse for this purpose, you can skip the steps that deal with the certificate creation and adapt the steps in which the correct certificate must be specified.