Step 36A: Enabling SOAP over HTTPS for a TEMS
This step is necessary if you want SA z/OS to direct SOAP queries to Tivoli Enterprise Monitoring Server (TEMS) using the HTTPS protocol. If you do not do this, you can only use the insecure HTTP protocol.
If you intend to communicate with multiple TEMS servers (for example, in a HA hub TEMS configuration not running on z/OS) from the same system you need to repeat for each one.
Please refer to the z/OS Communication Server documentation for details.
Be aware that the TCP/IP profile has to contain the statement TCPCONFIG
TTLS to result in the activation of the processed policy definitions.
AT-TLS Policy
Figure 1 is a sample AT-TLS policy with the highest TCPIP trace. Please specify <tlsKeyring> and <ip_addr> accordingly. The <ip_addr> is the IP address of the machine hosting the TEMS server that you wish to direct the SOAP query to:
TTLSRule NV_TEMS_WIN
{
LocalAddr ALL
RemoteAddrRef addr_TEMS
LocalPortRange 0
RemotePortRange 3661
Direction Outbound
Priority 255
TTLSGroupActionRef XXGRP
TTLSEnvironmentActionRef XXENV
TTLSConnectionActionRef XXCON
}
TTLSGroupAction XXGRP
{
TTLSEnabled On
}
TTLSEnvironmentAction XXENV
{
HandshakeRole Server
EnvironmentUserInstance 0
TTLSKeyringParmsRef keyRing
TTLSEnvironmentAdvancedParmsRef XXADV
Trace 255
}
TTLSConnectionAction XXCON
{
HandshakeRole Client
Trace 255
}
TTLSEnvironmentAdvancedParms XXADV
{
ApplicationControlled Off
ClientAuthType PassThru
}
TTLSKeyringParms keyRing
{
Keyring <tlsKeyring>
}
IpAddr addr_TEMS
{
addr <ip_addr>
}Certificate registration in keyring
The ITM Soap Server sends a self-signed certificate which has to be registered in the keyring. The certificate can be obtained easily if a web request is sent from a workstation browser.
https://<ip_addr>:3661///cms/soap/kshhsoap.htmYou are asked to accept or deny the certificate. Store this certificate in X.509 PEM format (base64), upload this file to z/OS® with ASCII to EBCDIC translation and add it to your keyring.