Certificates, keys, and keyrings - USS

The CAE Server, when installed on USS, can be configured to access certificates and keys from SAF keyrings instead of from .jks files in HFS.

Earlier releases of the CAE only supported the JKS keystore (using the file "defaultKeystore.jks"). To increase security, the CAE Server now supports the use of certificates and keys that are stored in SAF keyrings. Additionally, the CAE Server can access the private keys for those certificates, even if the keys are stored in the mainframe cryptography hardware CCA (ICSF).

Note: The CAE Server, when installed on Windows, can only use certificates and keys that are stored in .jks files.

Requirements

To access certificates and keys from SAF keyrings (instead of from .jks files in HFS) the CAE Server requires a certificate (containing a private key) for the HTTPS listener to use to identify the CAE Server to clients and encrypt the data sent over the network.

Note: For architectural reasons, the certificate you use must be in both the keystore and the truststore for your CAE Server (it must "trust itself").

Procedure

To tailor keystore and truststore usage for your CAE Server installation on USS, edit the STDENV DD statement of SAMPLIB member CQMCAESV as needed to specify the type of the keystore and truststore you intend to use as well as their location. The following environment parameters are used to customize keystore and truststore usage for the CAE Server on USS and are defined in the STDENV DD statement of SAMPLIB member CQMCAESV:

  • CQM_CAE_KEYSTORE_TYPE
  • CQM_CAE_TRUSTSTORE
  • CQM_CAE_KEYSTORE

Examples

Using a RACF® keyring:

CQM_CAE_KEYSTORE_TYPE=RACF
CQM_CAE_TRUSTSTORE=safkeyring:///CQMRING1
CQM_CAE_KEYSTORE=safkeyring:///CQMRING1

Using a RACF keyring with hardware-stored keys:

CQM_CAE_KEYSTORE_TYPE=ICFSF
CQM_CAE_TRUSTSTORE=safkeyring:///CQMRING2
CQM_CAE_KEYSTORE=safkeyring:///CQMRING2

For additional information describing the z/OS® facilities and how to work with them in Java™, refer to Java Security on z/OS - The Complete View:

http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdf

Relevant sections include Chapter 11, Java and key management on z/OS, particularly Section 3, z/OS keystore details and provider requirements.