TKE catcher configuration for a TLS connection
Communication between the TKE workstation and the catcher.exe daemon (controlled by the CSUTKEcat script) can be sent through a plain TCP connection (TCP mode) or, starting with CCA 8.0, a TLS connection (TLS mode). In both modes, the TKE catcher.exe daemon listens on port 50003.
During installation and start-up, the CSUTKEcat script checks if TLS mode is possible by querying the OpenSSL version. If OpenSSL is installed as version 1.1.1 or newer, then the catcher daemon starts in TLS mode. Otherwise, it starts in TCP mode. The catcher performs the necessary configuration changes for running in either mode as necessary. However, if running in TLS mode, there is further set up required for use in a production environment, or if you want to switch back to TCP mode (the legacy connection used in CCA 7.x and earlier). This section describes how to switch between the TLS and TCP modes. It also describes the setup and configuration that the catcher daemon uses to establish a TLS connection to communicate with your TKE. This covers setup on the machine on which your catcher is running, and setup on the TKE with which you want to connect and communicate. The TKE information here is surface level. Use it in concert with the z/OS Cryptographic Services.
The catcher will check if the key and the certificate in the catcher.key and catcher.crt files are already in place and proceed depending on the results:
- If they are both in place it continues as normal.
- If neither is in place, then it generates its own ECC P521 key and certificate to be used and place them in the correct location.
- If only one of the files is in place, but the other is missing, then the catcher sends an error message to the log and cancels the catcher startup.
Important upgrade note
- When upgrading to CCA 8.0 from
CCA 7.3 or earlier, the default
catcher mode changes from TCP to TLS mode for systems with OpenSSL version 1.1.1 or later. This means
that further setup is required to continue the communication between the catcher and the TKE.
- You can achieve this either by setting the catcher mode back to TCP and then restarting the catcher daemon.
- Or you can complete the TLS mode setup.
Both tasks are described in subtopics within this information unit.
- When setting the connection modes (TCP or TLS) for the TKE catcher, you must ensure that the TKE Host definition matches that mode. Do this by checking or unchecking the Enable SSL/TLS check box on the Create New Host or Change Host window of the Trusted Key Entry tool. See the "Enable TCP connection on the TKE" and "Enable TLS connection on the TKE" sections for more details.
Restrictions
When running in TLS mode, the catcher only uses TLS version 1.2 or higher.
Supported keys
- RSA 1024 – 4096Note: You should only use RSA 2048 or stronger keys.
- ECC
- prime256v1
- secp384r1
- secp521r1
Dependencies
- You must have OpenSSL installed on
your system together with one of the following libraries:
- libssl.so.1.1
- libssl.so.3
- See Distribution-specific information and the Release Notes for CCA 8.0 for information about distributions
that support TLS mode. Additionally, you can check your OpenSSL library by running one of the following
commands and comparing your output to the list of the previously listed libraries:
ls -l /usr/lib*/*/libssl.so* ls -l <library_path>/libssl.so* -rw-r--r-- 1 root root 659392 Oct 27 17:06 /usr/lib/s390x-linux-gnu/libssl.so.3
Important files
- /etc/cca/catcher.conf
- Configuration file for CCA catcher.exe daemon (CSUTKEcat): Used to switch between TCP mode and TLS mode.
- /opt/IBM/CCA/bin/catcher.key
- File containing the private key used by the catcher.exe daemon in the TLS connection.
- /opt/IBM/CCA/bin/catcher.crt
- File containing the certificate used by the catcher.exe daemon in the TLS connection.
Setup for TLS mode
- Generate or otherwise acquire the TLS key and certificate you want to use:
- The key and certificate must by in PEM format.
- The Common Name (CN) attribute within the Subject tag of the certificate must match the host name/IP value used in your TKE host setup. This is usually your server hostname, but an IP address is also acceptable. You may put your hostname in the Common Name attribute within the Subject Name, and your IP address(es) in your Subject Alternative Name field.
- Example 1 (RSA based):
This example produces a self-signed certificate, which is only suitable for testing.
openssl req -newkey rsa:2048 -nodes -keyout catcher.key -x509 -days 365 -subj "/CN=<server hostname>" -addext "subjectAltName = IP:<ip_address>" -out catcher.crt - Example 2 (ECC prime256v1 based):
Optional step: Use the following command to print details about the mechanism to use:
openssl ecparam -list_curves | grep prime256v1
The output may look similar to the following:prime256v1: X9.62/SECG curve over a 256 bit prime field
Use the following commands to acquire key and certificate:openssl ecparam -out catcher.key -name prime256v1 -genkey openssl req -new -key catcher.key -x509 -nodes -days 365 -subj "/CN=<server hostname>" -addext "subjectAltName = IP:<ip_address>" -out catcher.crtOptional step: Use the following command to display details about the generated certificate:
openssl x509 -in catcher.crt -text -noout
- Place your key and certificate into the /opt/IBM/CCA/bin/ directory. Replace the
auto-generated key and certificate if one was created by the catcher daemon.
- Use the name
catcher.keyfor the key file and the namecatcher.crtfor the certificate file. - Example:
cp catcher.key /opt/IBM/CCA/bin/catcher.key cp catcher.crt /opt/IBM/CCA/bin/catcher.crt
- Use the name
- Restart the catcher daemon to ensure your new key and certificate are in use, for
example:
systemctl restart CSUTKEcat
- Import your catcher certificate into your TKE:
- This can be done in the following two ways:
- Method 1: Physical media (USB stick) import
- Method 2: Remote server import
- Follow the instructions for your chosen import method in topic Importing the catcher certificate into the TKE.
- This can be done in the following two ways:
- Start running the catcher in TLS mode (if not already running in this mode):
- Follow the instructions in topic Change the catcher to TLS mode.
- Enable the TLS connection on the TKE:
- Follow the instructions in topic Enable TLS connections on the TKE.
Everything is set up now. Any communication between the TKE and the CCA TKE catcher will now go through TLS.
Importing the catcher certificate into the TKE
Method 1: Physical Media Import
- Format your USB stick using the TKE:
- Insert your USB stick into the TKE server.
- Starting on the TKE Welcome Page: Select the Launch the Trusted Key Entry Console web application link.
- Select Service Management in the left sidebar menu.
- Select Format Media on the Service Management page.
- Select the Trusted Key Entry data radio button in the Format Media window. Then select Format.
- Select your USB stick from the list on the Select Media Device window. Then select OK.
- Select the appropriate file system for your machines on the Specify File System window. Then select Format.
- Select Yes on the Format Media window when asked whether you are sure that you want to continue. You may need to wait a few seconds for the formatting to complete.
- Select OK on the Format Media Complete window.
- Now that the formatting is complete, eject your USB stick.
- Copy your catcher.crt file onto your USB stick.
- Import the catcher.crt file into the TKE:
- Insert your USB stick into the TKE server.
- Starting on the TKE Welcome Page: Select the Privilaged Mode Access link .
- Login with your user credentials.
- Select Service Management in the left sidebar menu.
- On the Service Management page, scroll down to the Configuration section and select Certificate Management.
- Select the drop-down menu Import on the Manage Trusted Signing Certificates window. Then select From Removable Media.
- Select your USB stick from the list on the Select Media Device window. Then select OK.
- Select the catcher.crt file from the right listing of files in the Certificate Management window. Then select OK. Confirm the informational dialog with OK: "The signing certificate(s) have been imported successfully."
- After the import has succeeded you see a Confirm Import window. Verify the displayed certificate information. Then select Yes to finalize the import.
- Your certificate has now been imported, and you should see it displayed in the Manage Trusted Signing Certificates window.
- Eject the USB stick.
Method 2: Remote Server Import
- If required, start running the catcher in TLS mode. Follow the steps described in topic Change the catcher to TLS mode.
- Starting on the TKE Welcome Page: Select the Privilaged Mode Access link.
- Login with your user credentials.
- Select Service Management in the left sidebar menu.
- On the Service Management page, scroll down to the Configuration section and select Certificate Management.
- Select the drop-down menu Import on the Manage Trusted Signing Certificates window. Then select From Remote Server.
- Enter the same IP/Host and Port you are using to connect to the catcher on the Import Remote Certificate window. Then select OK. You may see a Please wait... window while the certificate is acquired.
- After the import has succeeded, you should see a Confirm Import window. You must verify the shown certificate information, particularly the hashes, to ensure you are importing your certificate. Then select Yes to finalize the import.
- Your certificate has now been imported, and you should see it displayed in the Manage Trusted Signing Certificates window.
Change the catcher to TLS mode
- In the /etc/cca/catcher.conf file, change the line
TLS_OFFtoTLS_ONand save the file. - Restart the catcher daemon. For example, enter the command: systemctl restart CSUTKEcat.
- [optional] Verify that the catcher is running in TLS mode:
- Check that the catcher.exe was started with the
-tlsoption. - Run the following command: ps -ax | grep catcher.exe. The output should show
catcher.exe -tls(with the-tlsoption), otherwise you are running in TCP mode. For example:$ ps -ax | grep catcher.exe 39518 ? Ss 0:00 /opt/IBM/CCA/bin/catcher.exe -tls
- Check that the catcher.exe was started with the
Enable TLS connections on the TKE
- Set up for TLS mode and change your catcher daemon to TLS mode, if required. Follow the instructions in topic Setup for TLS mode.
- Starting on the TKE Welcome Page: Select the Launch the Trusted Key Entry Console web application link.
- Select Trusted Key Entry in the left sidebar menu.
- Select the applicable Trusted Key Entry version on the Trusted Key Entry page.
- Login with your user credentials.
- On the Trusted Key Entry window,
perform the following:
a) If the host already exists and you just want to change the connection to TLS:
- Right click on your Host.
- Select Change Host.
- On the Change Host window: Select the Enable SSL/TLS check box, then press OK.
b) If you want to create a new Host with a TLS connection:
- Right click in the Hosts area.
- Select Create Host.
- On the Create Host window:
Fill in the needed information. Select the Enable SSL/TLS check box, then press OK.
- TLS connections are now enabled for that Host.
Updating the catcher key and certificate
If you want to update the key and certificate for your TLS connection, then use the following instructions.
- Generate or otherwise acquire the new TLS key and certificate you want to use.
- The key and certificate must by in PEM format.
- The Common Name (CN) attribute within the Subject tag of the certificate must match the host name/IP value used in your TKE host setup. This is usually your server hostname, but an IP address is also acceptable. You may put your hostname in the Common Name attribute within the Subject Name, and your IP address(es) in your Subject Alternative Name field..
- Example (to produce a self-signed certificate, which is only suitable for
testing):
openssl req -newkey rsa:2048 -nodes -keyout catcher.key -x509 -days 365 -subj "/CN=<server hostname>" -addext "subjectAltName = IP:<ip_address>" -out catcher.crt
- Place your new key and certificate into the /opt/IBM/CCA/bin/ directory.
- Use the name
catcher.keyfor the key file and the namecatcher.crtfor the certificate file. - If you want to save your old key and certificate, then rename the files or move them to another directory.
- If you do not want to save the old key and certificate, then you can overwrite the current files with your new files. This might be the case if the current catcher.key and catcher.crt files were automatically generated by the catcher daemon itself.
- Example:
cp catcher.key /opt/IBM/CCA/bin/catcher.key cp catcher.crt /opt/IBM/CCA/bin/catcher.crt
- Use the name
- Import your new catcher certificate into your TKE. This can be done in two ways.
- Method1: Physical media (USB stick) import
- Method2: Remote server import
- Restart the catcher daemon to ensure your new key and certificate are in use. For example, issue the following command: systemctl restart CSUTKEcat
- Your new TLS key and certificate are now in place.
Change the catcher to TCP mode
- In the /etc/cca/catcher.conf file, change the line
TLS_ONtoTLS_OFFand save the file. - Restart the catcher daemon. For example, enter the command: systemctl restart CSUTKEcat.
- [optional] Verify that the catcher is running in TCP mode :
- Check that the catcher.exe was started without the
-tlsoption. - Run the following command: ps -ax | grep catcher.exe. The output should show
only
catcher.exe(without the-tlsoption). For example:$ ps -ax | grep catcher.exe 29716 ? Ss 0:00 /opt/IBM/CCA/bin/catcher.exe
- Check that the catcher.exe was started without the
Enable TCP connections on the TKE
- Change your catcher daemon to TCP mode. Follow the instructions in Change the catcher to TCP mode.
- Starting on the TKE Welcome Page: Select the Launch the Trusted Key Entry Console web application link.
- Select Trusted Key Entry in the left sidebar menu. This might already be selected.
- Select the applicable Trusted Key Entry version on the Trusted Key Entry page.
- On the Trusted Key Entry window,
perform the following:
a) If the host already exists and you just want to change the connection to TCP:
- Right click on your Host.
- Select Change Host.
- On the Change Host window: Click on the Enable SSL/TLS check box, so that it is in the unchecked state. Then press OK.
b) If you want to create a new Host with a TCP connection:
- Right click in the Hosts area.
- Select Create Host.
- On the Create Host window:
Fill in the needed information. Click on the Enable SSL/TLS check box, so that it is in the unchecked state. Then press OK.
- TCP connections are now enabled for that Host.