Enabling SSL support

The Data Virtualization Manager server allow you to configure the SSL connection to send encrypted data.

Before you begin

Your user ID must have READ permission for the IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST profiles in the RACF FACILITY class. If SSLUSERID is not specified, the Data Virtualization Manager server address space default user ID is used.

Procedure

  1. Use the MODIFY PARM command to set the following parameters that are located in the Data Virtualization Manager configuration member, AVZSIN00: 
    “MODIFY PARM NAME(SSL) VALUE(YES)"
“MODIFY PARM NAME(SSLAUTODETECT) VALUE(NO)"
“MODIFY PARM NAME(SSLCLIENTAUTH) VALUE(LOCAL)"
“MODIFY PARM NAME(SSLCLIENTNOCERT) VALUE(ALLOW)"
“MODIFY PARM NAME(SSLUSERID) VALUE(USERID)"
    Parameter Description Valid values
    SSL Enables SSL connections.
    YES
    (default) SSL connections enabled.
    NO
    SSLAUTODETECT (Optional) Specifies whether the server automatically detects SSL connections that are sent on the port that is normally used for cleartext connections.
    Note: A separately configured SSL port accepts only SSL connections.
    YES
    When set to YES, the server automatically detects SSL connections.
    NO
    (default) When set to NO, only cleartext connections can be handled on the cleartext port.
    SSLCLIENTAUTH Specifies how SSL client certificates are authenticated. Valid values are NONE, LOCAL, and PASSTHRU.

    Configuration of SSL support for use in Data Virtualization Manager server requires that you designate the location of the certificate and keystore that the IBM-supplied SSL components use. The SSL support for the server can be configured to use a pair of native IBM SSL key database and key stash files.
    LOCAL
    (default) The server requests a client certificate during the SSL connection setup handshake. Certificates that are sent by the client are authenticated by using the certificate store that is designated by other SSL startup parameters. They are either a GSK SSL key database, or a RACF keyring.
    NONE
    The server does not make SSL client certificate processing active and does not request client certificates.
    PASSTHRU
    The server requests a client certificate during the SSL connection setup handshake. Certificates that are sent by the client are not authenticated upon receipt but are available for inspection by the transaction.
    SSLCLIENTNOCERT (Optional) Specifies the action to take if an SSL client fails to provide a valid x501 certificate during session establishment.
    Note: The failure by the client to provide a certificate might be because of the lack of mutually trusted signing authority. Lack of a certificate does not prevent the SSL session from being established and used.
    Note: The SSL handshake at session establishment completes before application of the FAILURE action.
    ALLOW
    (default) Allows the server to continue processing, ignoring failure by the client or in ability to provide a certificate.
    FAIL
    The server terminates its session with the client at the earliest possible opportunity.
    SSLUSERID Specifies the user ID under which the SSL resource manager subtask operates. If not specified, the SSL resource manager operates by using the subsystem's address-space-level user ID. This user ID must be authorized to open and read the SSL private key and certificate files. Using a separate user ID for this task prevents other transaction subtasks, and the server itself, from accessing this highly confidential information. Null
  2. To set up the ports, use the MODIFY PARM command to set the following parameters that are located in the Data Virtualization Manager configuration member, AVZSIN00:
    Required Ports:
    “MODIFY PARM NAME(OEPORTNUMBER) VALUE(XXXX)"
“MODIFY PARM NAME(WSOEPORT) VALUE(XXXX)"

    Optional Ports:

    “MODIFY PARM NAME(OENLPORTNUMBER) VALUE(0)"
“MODIFY PARM NAME(OESSLPORTNUMBER) VALUE(0)"
“MODIFY PARM NAME(WSOEBALANCEDPORT) VALUE(0)"
“MODIFY PARM NAME(WSOESSLPORT) VALUE(0)"
    Parameter Description Valid values
    OEPORTNUMBER Sets the port number that is used to LISTEN for, and ACCEPT all inbound TCP/IP sessions that should not be considered candidates for load balancing to a different Data Virtualization Manager server in the same load-balancing group. The port number should be reserved for exclusive use by the main product address space. This must be different from the main OEPORTNUMBER and the OESSLPORT number if it is used. 0 (default)
    WSOEPORT Specifies the port number that is used to listen for all inbound Services and IBM Data Virtualization Manager studio requests. 0 (default)
    OENLPORTNUMBER (Optional) Sets the port number that is used to LISTEN for, and ACCEPT all inbound TCP/IP sessions that should not be considered candidates for load balancing to a different Data Virtualization Manager server in the same load-balancing group. The port number should be reserved for exclusive use by the main product address space. This must be different from the main OEPORTNUMBER and the OESSLPORT number if it is used. 0 (default)
    OESSLPORTNUMBER (Optional) Sets the port number that is used to LISTEN for, and ACCEPT all inbound encrypted OE Sockets TCP/IP sessions. This port number should be reserved for use only by the main product address space. Each copy of the main product address space needs its own port number if SSL over OE Sockets is being used. There is no default value for the SSL port number if the value is not set in the initialization EXEC. Null
    WSOEBALANCEDPORT (Optional) Specifies the port number that is used to listen for Services requests that can be balanced to group members. 0 (default)
    WSOESSLPORT (Optional) Specifies the port number that is used to listen for Services for encrypted sessions. 0 (default)