On z/OS®: Configuring default TLS for the Problem Insights server as a stand-alone application

When you install the Problem Insights server as a stand-alone application, the server is automatically set up for the encryption of data in transit. You can only access the server via an HTTPS connection. You can change the default values according to your needs.

When you run the izoa-setup.run script to install the Problem Insights server as a stand-alone application, a PKCS12 keystore with a self-signed certificate is generated.
  • The keystore is stored in the key.p12 file under <PI_HOME>/wlp/usr/servers/piFrameworkServer/resources/security.
  • The certificate is also exported to the piserver.crt file under <PI_HOME>/wlp/usr/servers/piFrameworkServer/resources/security.
  • The keystore password is stored in the keystore_password property of the server.env file in <PI_HOME>/wlp/usr/servers/piFrameworkServer.

The izoa-setup.run script additionally creates a PKCS12 truststore for the Problem Insights server that is populated with the gateway service certificate by the getGatewayCert.sh script.

  • The truststore is stored in the piserver.ts file under <PI_HOME>/wlp/usr/servers/piFrameworkServer/resources/security.
  • The password for the truststore is stored in AES-encrypted form in the keycloak.truststore.password property of the cli.config file. The default value of this password is the same as the keystore_password property of the <PI_HOME>/wlp/usr/servers/piFrameworkServer/server.env file.

Changing the password of the Problem Insights keystore and certificate

You can change the passwords for the keystore and certificate only when the following conditions are met:
  • The passwords for keystore and certificate must be the same.
  • The keystore_password property value in the server.env file under <PI_HOME>/wlp/usr/servers/piFrameworkServer must be updated with the new password.

After you change the passwords, you must restart the Problem Insights server for the changes to take effect.

Changing the password of the Problem Insights truststore and the gateway certificate

You can change the passwords for the truststore and gateway certificate that is contained in it only when the following conditions are met:

  • The passwords for truststore and certificate must be the same.
  • The keycloak.truststore.password property value in the cli.config file under <PI_HOME>/config must be updated with the new password.

After you change the passwords, you must restart the Problem Insights server for the changes to take effect.

Replacing the self-signed Problem Insights server certificate

You can replace the self-signed certificate with a CA-signed certificate only when the following conditions are met:
  • The new certificate is imported into the keystore.
  • The name and type of the keystore are not changed.
  • The name of the certificate file is not changed.

After you replace the certificate, you must restart the Problem Insights server for the change to take effect.

Replacing the self-signed gateway service certificate

You can replace the self-signed gateway certificate with a CA-signed certificate only when the following conditions are met:

  • The new certificate is imported into the truststore.
  • The name and type of the truststore are not changed.
  • The certificate is also imported into the gateway keystore at <PI_HOME>/ssl/zoasvc.ks.
  • The certificate is also imported into the gateway truststore at <PI_HOME>/ssl/zoasvc.ts.
  • The certificate is also saved as zoasvc.crt at <PI_HOME>/ssl/.
  • All other consumers of the gateway certificate or truststore files are updated with the new certificate.

After you replace the certificate, you must restart the Problem Insights server, the gateway service, and any other consumers of the gateway certificate, for the change to take effect.