Setting up encryption

The agent for z/OS uses TCP/IP to connect to Db2® on z/OS, the Profile Service in IBM z/OS Debugger, and IBM® DevOps Test Virtualization Control Panel (Test Virtualization Control Panel). You can set up TLS encryption on each of these connections. The connection to Test Virtualization Control Panel is encrypted by default.

  1. Obtain a copy of the certificate authority (CA) certificate, which was used to sign the certificate used by Db2 for z/OS.

    This certificate can be a publicly available certificate authority certificate, or it can be that your site uses a privately administered CA. Your security administrator can provide more information.

  2. Create an Identity Store (keystore) that must be used by the Db2 transport, and then import the CA certificate in IBM DevOps Test Integrations and APIs (Test Integrations and APIs).

    If you encrypt the connection to Db2 on z/OS, and you must also choose to use Db2 as your simulation database, then you must import the CA certificate with which your simulation Db2 instance was signed into your keystore.

  3. Create a text file that contains the following property:
    db2.jcc.override.sslConnection=true
  4. Open the zosagent.ini file for editing, and then add the following properties at the end of the file:

    -Ddb2.jcc.propertiesFile=fully/qualified/path/to/text/file/containing/property

    -Djavax.net.ssl.trustStore=fully/qualified/path/to/truststore/containing/server/CA/certificate

    -Djavax.net.ssl.trustStorePassword=trustStorepassword

  5. Decide how you want to set up encryption for the connection to the Profile Service in IBM z/OS Debugger from the following descriptions.
    • Select Trust All for Server certificates to trust on the database driver z/OS tab. When you select Trust All, you do not provide the Agent for z/OS with the certificate authority certificate, which was used to sign the Profile Service certificate.
    • If you do not want to select Trust All, you must perform the following steps to encrypt the messages between the Agent for z/OS and the Profile Service:
      1. Obtain a copy of the certificate authority (CA) certificate, which was used to sign the certificate used by the Profile Service.

        This certificate can be a publicly available certificate authority certificate, or it can be that your site uses a privately administered CA. Your security administrator can provide more information.

      2. Within the same Test Integrations and APIs Identity Store (keystore) used to store the Db2 CA certificate, import the CA certificate that was used to sign the Profile Service certificate.
        Note:
        If the Profile Service certificate and the Db2 certificates were signed by using the same CA certificate, skip this step.
      3. If you did not set up the agent to use the Test Integrations and APIs Identity Store, perform steps 3 and 4 in this task to set up encryption of the Db2 connection.