Establishing secure communication between the z/OS Debugger Profiles view and your z/OS system for CICS

These steps help you enable secure communication via Secure Sockets Layer (SSL) between the z/OS Debugger Profiles view with Eclipse and your z/OS® system. The communication between the client and server uses the HTTP protocol. Z Open Debug provided with Wazi for Dev Spaces or Wazi for VS Code does not support the direct communication between the client and the DTCN API.

Server-side setup

To enable SSL communication, do the following tasks for the server side:

Generate key pair and self-signed certificate.
1. Use the RACF GENCERT command to create a key entry for the CICS® region owner. The key entry contains the key pair and self-signed certificate.
  Note: The following example shows the RACF commands as they would be coded in a REXX exec. This is recommended because of the length of the commands.
  Example (Create a key entry for user USERID with label: USERID-DTCNPLG-CERT):
```
/* generate key entry */ 
"RACDCERT ID(USERID) GENCERT", 
" SUBJECTSDN(CN('your_host_name.com' )", 
"T ('USERID-DTCNPLG-CERT' ) ", 
"OU('IBM' ) ", 
"O ('IBM' ) ", 
"L ('San Jose' ) ", 
"SP('CA' ) ", 
"C ('US' ))", 
" NOTBEFORE(DATE(2011-02-28) TIME(20:00:00) )", 
" NOTAFTER (DATE(2031-12-31) TIME(19:59:59) )", 
" WITHLABEL(‘USERID-DTCNPLG-CERT’ )", 
" SIZE (1024 )" 
```
  The common name of the subject DSN must be the host name of the server that the client uses to connect to host.
2. Connect the key entry to a key ring that belongs to the CICS region owner ID.
  Example (Connect it to a key ring named USERID):
```
/* connect key entry to key ring */ 
"RACDCERT ID(USERID )”, 
“CONNECT( RING(USERID ) ", 
" LABEL(‘USERID-DTCNPLG-CERT’ ))"
```
3. Export the certificate and store it in a data set using the printable encoding format defined by the internet RFC 1421 standard.
  Example (Export the certificate to a data set: USERID.DTCNPLG.CERT):
```
/* export certificate to a data set */ 
"RACDCERT EXPORT(LABEL(‘USERID-DTCNPLG-CERT’ ) ", 
" ID(USERID ) ", 
" DSN('USERID.DTCNPLG.CERT' ) ", 
" FORMAT(CERTB64 ) " 
```
Update system initialization parameters in CICS region.
1. Add a KEYRING system initialization parameter to the CICS region job and point it to the key ring created for the region owner ID.
2. The following example adds KEYRING to the CICS region's system initialization parameters:
```
SIT=6$,               
START=INITIAL,        
RENTPGM=PROTECT,      
...
TRANISO=YES,   
KEYRING=key-ring-name,
EDSALIM=132M,           
        ...
```
Modify the TCPIPSERVICE you defined above to set these two attributes:
- SSl : Yes Yes | No | Clientauth
- CErtificate : USERID-DTCNPLG-CERT

Client-side setup

To enable SSL communication, do the following tasks for the client side. For the z/OS Debugger Profiles view users with Eclipse, the following tasks are not required because users will be prompted to accept or decline any certificates that are not installed when using the view.

Install client certificate.
Because the server certificate generated is not from an authorized CA, you need to install the certificate into the keystore that IBM® Developer z/OS® uses.
1. Get a client certificate by downloading a copy of the exported server certificate (using text mode) that is created in step 3 of Server-side setup above to your workstation.
2. Import the client certificate into the keystore. The following is an example how to import the certificate into keystore using keytool provided by Java™.
  For Java version 1.7: keytool –importcert –alias myprivateroot –keystore
  
  C:\YOUR_WORKSPACE_DIRECTORY\.metadata\.plugins\com.ibm.cics.core.comm\explorer_keystore.jks –file dtcnplg.cer
  
  dtcnplg.cer is the client certificate. The initial password for the keystore is changeit.
Notes:
- For Java version 1.7, the default keystore is: C:\YOUR_WORKSPACE_DIRECTORY\.metadata\.plugins\com.ibm.cics.core.comm\explorer_keystore.jks
- For IBM Developer for z/OS, the keytool utility can be found in this Java installation bin directory, C:\DEVELOPER_FOR_Z_SYSTEMS\jdk\jre\bin.