Configuring IMS Universal drivers for SSL support in a stand-alone environment

To enable SSL in a stand-alone environment for the IMS Universal drivers, you need to generate and configure an SSL keystore.

Prerequisites:
  • You must first set up the IBM® z/OS® Communications Server Application Transparent Transport Layer Security (AT-TLS) to enable SSL support on the z/OS system for IMS Connect.
  • You also need to retrieve the client certificate (.crt) to your local file system. To retrieve the certificate, from TSO, browse the OMVSID.CERTAUTH.CERT member. Copy its contents into a text file on your local file system, and remove any trailing spaces. Name the file hostname.crt.
To configure the IMS Universal DL/I driver or the IMS Universal JDBC driver for SSL support:

Procedure

  1. Generate a new SSL keystore by using the Java™ Keytool provided by the Java SDK.
    This keystore file will be used as a truststore by the JRE during SSL handshaking when it creates an SSL connection to IMS. Save the keystore (.ks) file on your local file system and record its location. Set the password for the keystore and record it.

    Keystore files can contain public/private key pairs that are generated on the local system as well as public keys (in the form of certificates) that are received from remote communicating peers. When the keystore is accessed to retrieve a certificate of a communicating peer for use during SSL handshaking, the keystore file is referred to as a truststore.

  2. Verify that the certificate has not been tampered with before importing the certificate (.crt) file into the keystore as a trusted self-signed certificate.
    You can do this with the Keytool by viewing the fingerprint of the local certificate and comparing it to the original that was extracted from the key ring file on the host.
  3. Set the fully qualified path to the keystore file as the value for the system property javax.net.ssl.trustStore and set the keystore password as the value for the system property javax.net.ssl.trustStorePassword.
    Optionally, to troubleshoot any SSL-related problems, you can turn on the SSL client-side trace by setting the system property javax.net.debug=all. To specify the system properties from the command line, enter:
    java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=myTruststore 
-Djavax.net.ssl.trustStorePassword=myTruststorePassword MyApp