Configuring secure communications from CICS TG client applications to Z APM Connect Distributed Gateway in OpenShift clusters

After you set up secure communications from CICS Transaction Gateway (CICS TG) on z/OS to Z APM Connect Distributed Gateway (Z APM Connect DG), set up secure communications from CICS TG client applications on the distributed platform to Z APM Connect DG.

Before you begin

On the machine that runs CICS TG, ensure that your LPAR has been set up with necessary keystores to communicate with Z APM Connect DG. For more information, see Configuring secure communications between z/OS components and Z APM Connect Distributed Gateway Linux machine.

Make sure that the Secrets for Kafka, the Connection Manager, and Z APM Connect DG are created, and TLS is enabled with both the Connection Manager and Kafka routes in order for the OpenShift router to properly direct traffic. Without TLS, there is no SNI header indicating the desired host name. For more information, see Prerequisites to deploy Z APM Connect DG on OpenShift using Helm.

Procedure

  1. On the machine running your client application, move zos.keystore.jks and zos.truststore.jks to the directory specified by the system property AGM.CONF.LOCATION.
    • To configure mutual authentication, move both zos.keystore.jks and zos.truststore.jks.
    • To configure client authentication, move only zos.keystore.jks if you enabled security on your Kafka server when running configureZosTls.sh.
    • To configure server authentication, move only zos.truststore.jks if you want your client application to authenticate your Kafka server.
  2. Define system properties to your client machine JVM.
    • If you move both .jks files, define the following system properties:
      agm.ssl.key.password
      agm.ssl.client.auth=on
      agm.ssl.keystore.password
      agm.ssl.server.auth=on
      agm.ssl.truststore.password
    • If you move only zos.keystore.jks, define the following system properties:
      agm.ssl.key.password
      agm.ssl.client.auth=on
      agm.ssl.keystore.password
    • If you move zos.truststore.jks to the machine that runs your client application, define the following system properties:
      agm.ssl.key.password
      agm.ssl.server.auth=on
      agm.ssl.truststore.password