Records Settings in the z/OS Parameter File
In the Connect:Direct® Secure Plus for z/OS® parameter file, the local node record has the following settings:
- Y in the Override field
- N for all Secure+ protocols
- N in the Client Auth field
The settings for the local node record have the following effects: Disabling Connect:Direct Secure Plus in the local node record means that the protocol and other settings for secure connections must be defined in each remote node record; enabling the Override parameter allows settings in remote node records to override those in the local node record; client authentication is not enabled for all remote nodes.
The remote node record defined for the OpenVMS node named Q1A.ITAN.V3400 in the z/OS Connect:Direct Secure Plus parameter file has the following settings:
- Node Identification is Q1A.ITAN.V3400. This value must correspond to the node name specified in the Connect:Direct Secure Plus for z/OS network map.
- Override is not applicable in the remote record and defaults to N.
- The TLS 1.0 protocol is enabled for sessions to connect to this node.
- This OpenVMS node will not request client authentication of z/OS nodes with which it communicates.
The following Secure+ Create/Update Panel - SSL/TLS Parameters panel for Connect:Direct Secure Plus for z/OS illustrates the settings for the OpenVMS node named Q1A.ITAN.V3400 and commentary on the values set for the parameters.
The information in the bottom half of the screen pertains to the key certificate for the z/OS node. The OpenVMS remote node record for the z/OS node has enabled client authentication, as shown in Records Settings in the z/OS Remote Node Record for OpenVMS Parameter File. Therefore, when the z/OS node initiates the session, the OpenVMS node (the server) requests that the client send its ID certificate so that the OpenVMS node can authenticate the client by validating the key certificate defined on this panel (mfcert_a) against the key certificate specified in the Root Certificate file field (mfcert_a.txt) of the z/OS remote node record in the Connect:Direct Secure Plus for OpenVMS parameter file, as illustrated in Records Settings in the z/OS Remote Node Record for OpenVMS Parameter File. When the z/OS node is the server, it must send its public key, which is stored in the mfcert_a file, to the OpenVMS node during server authentication.
In this example, the z/OS key certificate resides in the default key database defined for the local node (indicated by *). If the certificate location does not default to the local node, the remote node definition must point to the absolute path. Definitions for the default key database are stored in the local node record. Certificate information identifying the z/OS node to remote nodes and remote nodes to the z/OS node is stored in the GSKKYMAN database. When certificates are exchanged, trading partners send the ID certificate portion of their keys to each other. In the z/OS system, this information must be imported into the GSKKYMAN database.
The TLS ciphers previously selected are shown using the standard two-byte IBM® convention for displaying ciphers (352F04050A09030601). The systems negotiate a cipher suite common to both the z/OS and OpenVMS nodes to encrypt information during the handshake and when actual data is being transmitted.