Certificates, keys, and keyrings - USS
The CAE Server, when installed on USS, can be configured to access certificates and keys from SAF keyrings instead of from .jks files in HFS.
Earlier releases of the CAE only supported the JKS keystore (using the file "defaultKeystore.jks"). To increase security, the CAE Server now supports the use of certificates and keys that are stored in SAF keyrings. Additionally, the CAE Server can access the private keys for those certificates, even if the keys are stored in the mainframe cryptography hardware CCA (ICSF).
Requirements
To access certificates and keys from SAF keyrings (instead of from .jks files in HFS) the CAE Server requires a certificate (containing a private key) for the HTTPS listener to use to identify the CAE Server to clients and encrypt the data sent over the network.
Procedure
To tailor keystore and truststore usage for your CAE Server installation on USS, edit the STDENV DD statement of SAMPLIB member CQMCAESV as needed to specify the type of the keystore and truststore you intend to use as well as their location. The following environment parameters are used to customize keystore and truststore usage for the CAE Server on USS and are defined in the STDENV DD statement of SAMPLIB member CQMCAESV:
- CQM_CAE_KEYSTORE_TYPE
- CQM_CAE_TRUSTSTORE
- CQM_CAE_KEYSTORE
Examples
Using a RACF® keyring:
CQM_CAE_KEYSTORE_TYPE=RACF
CQM_CAE_TRUSTSTORE=safkeyring:///CQMRING1
CQM_CAE_KEYSTORE=safkeyring:///CQMRING1
Using a RACF keyring with hardware-stored keys:
CQM_CAE_KEYSTORE_TYPE=ICFSF
CQM_CAE_TRUSTSTORE=safkeyring:///CQMRING2
CQM_CAE_KEYSTORE=safkeyring:///CQMRING2
For additional information describing the z/OS® facilities and how to work with them in Java™, refer to Java Security on z/OS - The Complete View:
http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdfRelevant sections include Chapter 11, Java and key management on z/OS, particularly Section 3, z/OS keystore details and provider requirements.