Requirements for certificate aliases to open AT-TLS socket

The CAE Server requires two private certificates, one private certificate for the webserver and another private certificate for the TLS socket which listens for CAE Agent connections.

You should import certificate for the webserver with the alias WEBSERVER and certificate for the CAE Agent TLS socket with the alias CAE_AGENT_PORTAL.

Updating the existing CAE Server keystore

Update the existing keystore to follow AT-TLS policy. If the Java keystore (defaultKeystore.jks) is used, then you can use the script cqm_cert_install.bat (for the CAE Server on Windows) or the job CQMCCERT (for the CAE Server on USS) to generate the correct certificate aliases. Use the script cqm_import_certs.bat (for the CAE Server on Windows) or the job CQMICERT (for the CAE Server on USS) to import the new certificates to the existing keystore. The existing CAE Server keystore must contain two certificate aliases, WEBSERVER and CAE_AGENT_PORTAL.

Important: If your site uses its own private certificate (for example, a certificate purchased from an organization) you can use it as the certificate alias in the CAE Server keystore instead of using the WEBSERVER and CAE AGENT_PORTAL parameters. You should import your certificate into the CAE Server keystore and into the mainframe keyring for outbound connections. It then behaves the same as the CAE_AGENT_PORTAL.

Importing CAE_AGENT_PORTAL certificate alias into outbound keyring on LPAR

After AT-TLS rules for inbound and outbound connections have been configured, you need to import the public certificate for the private certificate CAE_AGENT_PORTAL from the CAE Server keystore into the CAE Agent keyring AGENT_KEYRING_OUTBOUND. To retrieve this public certificate, use the script cqm_export_cert.bat (for the CAE Server on Windows) or the job CQMECERT from SAMPLIB (for the CAE Server on USS). When the public certificate is retrieved, it should be imported in keyring AGENT_KEYRING_OUTBOUND using SCQMSAMP library member CQMICERT.

Importing public certificate alias from inbound keyring on LPAR into the CAE Server truststore

Export the public certificate from the inbound keyring created during AT-TLS rules configuration using SCQMSAMP library member CQMECERT. Import this certificate into the default CAE Server truststore using the script cqm_import_certs.bat (for the CAE Server running on Windows) or job CQMICERT (for the CAE Server running on USS).
  • For the CAE Server on Windows, place the certificate you want to import into the <cae_install_dir>\certs directory, then run the script in the format "cqm_import_certs.bat -importincacerts" to add the certificate to <cae_install_dir>\bin\jre\lib\security\cacerts.
  • The CAE Server on USS does not have its own truststore repository. The public certificate alias should be imported into CAE Server keystore.