IBM Connect:Direct Access to System Resources for SSL or TLS

Before you can configure the Connect:Direct® Secure Plus records to use the SSL or TLS protocol, you must ensure that the IBM Connect:Direct components have access to the resources listed in the following table.

Component Access to Resource
IBM Connect:Direct z/OS UNIX System Services or POSIX environment, must be installed and set up for IBM Connect:Direct access.
Access to the following APF-authorized IBM system libraries through the STEPLIB or LINKLST:
  • CEE.SCEERUN and CEE.SCEERUN2 (language environment)
  • CBC.SCLBDLL (C/C++ environment)
  • SYS1.SIEALNKE for IBM z/OS® (System SSL Environment)
For end-user server certificates with ICSF private key type:
  • The ICSF application must be running on the same environment as IBM Connect:Direct.
  • The Crypto Hardware device and the ICSF application must be running and accessible by IBM Connect:Direct.
IBM Connect:Direct User ID (under which DTF runs) Address space uses the maximum sockets (and other TCP/IP configurations) assigned by the UNIX System Services
OMVS access
A default UNIX directory
UPDATE authority to the BPX.SERVER facility
READ authority to the CSFSERV facility class
SSL/TLS Access to key database or key ring as follows:
  • gskkyman key database
  • RACF®, CA-ACF2, or CA-Top Secret key ring
Access to the following APF-authorized IBM system library through the STEPLIB or LINKLST:
  • SYS1.SIEALNKE for IBM z/OS (System SSL Environment)
Permission to read IBM Connect:Direct key ring that is created using RACDCERT, as follows:
  • Define the IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING resources with universal access of None.
  • Grant the IBM Connect:Direct User ID read access to the IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING resources in the FACILITY class.
  • Activate the FACILITY general resource class.
  • Refresh the FACILITY general resource class.
IBM Connect:Direct User ID key database or key ring Verification of other certificates requires access to the trusted root certificate of either:
  • A trusted CA certificate
  • Copy of a self-signed trusted certificate without private key
IBM Connect:Direct Secure Plus Parameter file Your node must have a remote node record in the parameter file of each of your trading partners that will use secure connections.