Setting up security for IMS Connect servers
This section covers security setup procedures that may become necessary for the Unified Management Server to communicate with IMS Connect servers securely.
Making CA certificates for IMS Connect servers available for UMS
The TCP/IP communication from the Unified Management Server to IMS Connect servers can be secured by using Transport Layer Security (TLS).
- The IMS SQL processor uses IMS Universal JDBC Driver
- The IMS command processor and catalog query features use IMS Connect Client for Java API to issue IMS type-1 and type-2 commands through IMS Operations Manager
These two features support TLSv1.2 and TLSv1.3 for TLS connections to IMS Connect. Lower protocol versions that are supported by IMS Universal JDBC Driver or IMS Connect Client for Java are not supported under the Unified Management Server.
- Using SAF key ring for the Unified Management Server
- Using file-based certificate management
Using SAF key ring for the Unified Management Server are the recommended method for enabling the TLS connection although the file-based certificate management is also covered in this section.
In the server authentication, the IMS Connect server can serve any client. In cases where proof of the Unified Management Server's identity is also important, use the client authentication (or mutual authentication), which builds upon server authentication. Client authentication is optional.
For details of configuring IMS Connect as a server with TLS support with using IBM z/OS Communications Server Application Transparent Transport Layer Security (AT-TLS) and policy agent on z/OS, see the IMS documentation.
For the procedure to prepare necessary CA certificates to be used for TLS connections to IMS Connect server ports and add them to the truststore to be used by the Unified Management Server, see Setting up secure communication for UMS.